[ { "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "opcode": 3, "pid": 0, "process_name": "System Idle Process", "serial_event_id": 1, "subtype": "create", "timestamp": 116444736000000000, "unique_pid": 1 }, { "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "opcode": 3, "parent_process_name": "System Idle Process", "pid": 4, "process_name": "System", "serial_event_id": 2, "subtype": "create", "timestamp": 131485996510000000, "unique_pid": 2, "unique_ppid": 1, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "\\SystemRoot\\System32\\smss.exe", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "63d3c30b497347495b8ea78a38188969", "opcode": 3, "parent_process_name": "System", "pid": 284, "ppid": 4, "process_name": "smss.exe", "process_path": "C:\\Windows\\System32\\smss.exe", "serial_event_id": 3, "subtype": "create", "timestamp": 131485996510000000, "unique_pid": 3, "unique_ppid": 2, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "60c2862b4bf0fd9f582ef344c2b1ec72", "opcode": 3, "pid": 372, "ppid": 364, "process_name": "csrss.exe", "process_path": "C:\\Windows\\System32\\csrss.exe", "serial_event_id": 4, "subtype": "create", "timestamp": 131485996510000000, "unique_pid": 4, "unique_ppid": 0, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "wininit.exe", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "94355c28c1970635a31b3fe52eb7ceba", "opcode": 3, "pid": 424, "ppid": 364, "process_name": "wininit.exe", "process_path": "C:\\Windows\\System32\\wininit.exe", "serial_event_id": 5, "subtype": "create", "timestamp": 131485996510000000, "unique_pid": 5, "unique_ppid": 0, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "60c2862b4bf0fd9f582ef344c2b1ec72", "opcode": 3, "pid": 436, "ppid": 416, "process_name": "csrss.exe", "process_path": "C:\\Windows\\System32\\csrss.exe", "serial_event_id": 6, "subtype": "create", "timestamp": 131485996510000000, "unique_pid": 6, "unique_ppid": 0, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "winlogon.exe", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "1151b1baa6f350b1db6598e0fea7c457", "opcode": 3, "pid": 472, "ppid": 416, "process_name": "winlogon.exe", "process_path": "C:\\Windows\\System32\\winlogon.exe", "serial_event_id": 7, "subtype": "create", "timestamp": 131485996510000000, "unique_pid": 7, "unique_ppid": 0, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\system32\\services.exe", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "24acb7e5be595468e3b9aa488b9b4fcb", "opcode": 3, "parent_process_name": "wininit.exe", "parent_process_path": "C:\\Windows\\System32\\wininit.exe", "pid": 524, "ppid": 424, "process_name": "services.exe", "process_path": "C:\\Windows\\System32\\services.exe", "serial_event_id": 8, "subtype": "create", "timestamp": 131485996520000000, "unique_pid": 8, "unique_ppid": 5, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\system32\\lsass.exe", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "7554a1b82b4a222fd4cc292abd38a558", "opcode": 3, "parent_process_name": "wininit.exe", "parent_process_path": "C:\\Windows\\System32\\wininit.exe", "pid": 536, "ppid": 424, "process_name": "lsass.exe", "process_path": "C:\\Windows\\System32\\lsass.exe", "serial_event_id": 9, "subtype": "create", "timestamp": 131485996520000000, "unique_pid": 9, "unique_ppid": 5, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\system32\\lsm.exe", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "9662ee182644511439f1c53745dc1c88", "opcode": 3, "parent_process_name": "wininit.exe", "parent_process_path": "C:\\Windows\\System32\\wininit.exe", "pid": 544, "ppid": 424, "process_name": "lsm.exe", "process_path": "C:\\Windows\\System32\\lsm.exe", "serial_event_id": 10, "subtype": "create", "timestamp": 131485996520000000, "unique_pid": 10, "unique_ppid": 5, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "c78655bc80301d76ed4fef1c1ea40a7d", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 648, "ppid": 524, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 11, "subtype": "create", "timestamp": 131485996520000000, "unique_pid": 11, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe\"", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "3c4d41c4f8cdd2ca945e91a61e6cfbaf", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 708, "ppid": 524, "process_name": "vmacthlp.exe", "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe", "serial_event_id": 12, "subtype": "create", "timestamp": 131485996520000000, "unique_pid": 12, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\system32\\svchost.exe -k RPCSS", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "c78655bc80301d76ed4fef1c1ea40a7d", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 752, "ppid": 524, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 13, "subtype": "create", "timestamp": 131485996520000000, "unique_pid": 13, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "NETWORK SERVICE" }, { "command_line": "\"LogonUI.exe\" /flags:0x0", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "715f03b4c7223349768013ea95d9e5b7", "opcode": 3, "parent_process_name": "winlogon.exe", "parent_process_path": "C:\\Windows\\System32\\winlogon.exe", "pid": 828, "ppid": 472, "process_name": "LogonUI.exe", "process_path": "C:\\Windows\\System32\\LogonUI.exe", "serial_event_id": 14, "subtype": "create", "timestamp": 131485996520000000, "unique_pid": 14, "unique_ppid": 7, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "c78655bc80301d76ed4fef1c1ea40a7d", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 848, "ppid": 524, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 15, "subtype": "create", "timestamp": 131485996520000000, "unique_pid": 15, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "LOCAL SERVICE" }, { "command_line": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "c78655bc80301d76ed4fef1c1ea40a7d", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 896, "ppid": 524, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 16, "subtype": "create", "timestamp": 131485996520000000, "unique_pid": 16, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "c78655bc80301d76ed4fef1c1ea40a7d", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 924, "ppid": 524, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 17, "subtype": "create", "timestamp": 131485996520000000, "unique_pid": 17, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalService", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "c78655bc80301d76ed4fef1c1ea40a7d", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 264, "ppid": 524, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 18, "subtype": "create", "timestamp": 131485996530000000, "unique_pid": 18, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "LOCAL SERVICE" }, { "command_line": "C:\\Windows\\system32\\svchost.exe -k NetworkService", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "c78655bc80301d76ed4fef1c1ea40a7d", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 968, "ppid": 524, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 19, "subtype": "create", "timestamp": 131485996530000000, "unique_pid": 19, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "NETWORK SERVICE" }, { "command_line": "C:\\Windows\\System32\\spoolsv.exe", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "b96c17b5dc1424d56eea3a99e97428cd", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 1108, "ppid": 524, "process_name": "spoolsv.exe", "process_path": "C:\\Windows\\System32\\spoolsv.exe", "serial_event_id": 20, "subtype": "create", "timestamp": 131485996530000000, "unique_pid": 20, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "c78655bc80301d76ed4fef1c1ea40a7d", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 1136, "ppid": 524, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 21, "subtype": "create", "timestamp": 131485996530000000, "unique_pid": 21, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "LOCAL SERVICE" }, { "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe\"", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "ccd745aa6425c7637a34ff12ed8a1c18", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 1320, "ppid": 524, "process_name": "VGAuthService.exe", "process_path": "C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe", "serial_event_id": 22, "subtype": "create", "timestamp": 131485996530000000, "unique_pid": 22, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\"", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "404202d6f0628331aaade8c8f9ef6feb", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 1344, "ppid": 524, "process_name": "vmtoolsd.exe", "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", "serial_event_id": 23, "subtype": "create", "timestamp": 131485996530000000, "unique_pid": 23, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe\"", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "3f61b1a4fe078bb7705b508cfcbb987e", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 1376, "ppid": 524, "process_name": "ManagementAgentHost.exe", "process_path": "C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe", "serial_event_id": 24, "subtype": "create", "timestamp": 131485996530000000, "unique_pid": 24, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "c78655bc80301d76ed4fef1c1ea40a7d", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 1692, "ppid": 524, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 25, "subtype": "create", "timestamp": 131485996540000000, "unique_pid": 25, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "NETWORK SERVICE" }, { "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "8f4ecbbfe943030acfd9e892b2513ec1", "opcode": 3, "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "pid": 1840, "ppid": 648, "process_name": "WmiPrvSE.exe", "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "serial_event_id": 26, "subtype": "create", "timestamp": 131485996540000000, "unique_pid": 26, "unique_ppid": 11, "user_domain": "NT AUTHORITY", "user_name": "NETWORK SERVICE" }, { "command_line": "C:\\Windows\\System32\\msdtc.exe", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "de0ece52236cfa3ed2dbfc03f28253a8", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 960, "ppid": 524, "process_name": "msdtc.exe", "process_path": "C:\\Windows\\System32\\msdtc.exe", "serial_event_id": 27, "subtype": "create", "timestamp": 131485996550000000, "unique_pid": 27, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "NETWORK SERVICE" }, { "command_line": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "60c2862b4bf0fd9f582ef344c2b1ec72", "opcode": 3, "pid": 3048, "ppid": 3040, "process_name": "csrss.exe", "process_path": "C:\\Windows\\System32\\csrss.exe", "serial_event_id": 28, "subtype": "create", "timestamp": 131485996790000000, "unique_pid": 28, "unique_ppid": 0, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "winlogon.exe", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "1151b1baa6f350b1db6598e0fea7c457", "opcode": 3, "pid": 2108, "ppid": 3040, "process_name": "winlogon.exe", "process_path": "C:\\Windows\\System32\\winlogon.exe", "serial_event_id": 29, "subtype": "create", "timestamp": 131485996790000000, "unique_pid": 29, "unique_ppid": 0, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "rdpclip", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "25d284eb2f12254c001afe9a82575a81", "opcode": 3, "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "pid": 2704, "ppid": 968, "process_name": "rdpclip.exe", "process_path": "C:\\Windows\\System32\\rdpclip.exe", "serial_event_id": 30, "subtype": "create", "timestamp": 131485996810000000, "unique_pid": 30, "unique_ppid": 19, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "\"taskhost.exe\"", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "517110bd83835338c037269e603db55d", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 2776, "ppid": 524, "process_name": "taskhost.exe", "process_path": "C:\\Windows\\System32\\taskhost.exe", "serial_event_id": 31, "subtype": "create", "timestamp": 131485996810000000, "unique_pid": 31, "unique_ppid": 8, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "C:\\Windows\\system32\\sppsvc.exe", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "e17e0188bb90fae42d83e98707efa59c", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 2804, "ppid": 524, "process_name": "sppsvc.exe", "process_path": "C:\\Windows\\System32\\sppsvc.exe", "serial_event_id": 32, "subtype": "create", "timestamp": 131485996810000000, "unique_pid": 32, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "NETWORK SERVICE" }, { "command_line": "\"C:\\Windows\\system32\\Dwm.exe\"", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "f162d5f5e845b9dc352dd1bad8cef1bc", "opcode": 3, "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "pid": 2464, "ppid": 896, "process_name": "dwm.exe", "process_path": "C:\\Windows\\System32\\dwm.exe", "serial_event_id": 33, "subtype": "create", "timestamp": 131485997150000000, "unique_pid": 33, "unique_ppid": 16, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "C:\\Windows\\Explorer.EXE", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "ac4c51eb24aa95b77f705ab159189e24", "opcode": 3, "pid": 2460, "ppid": 3052, "process_name": "explorer.exe", "process_path": "C:\\Windows\\explorer.exe", "serial_event_id": 34, "subtype": "create", "timestamp": 131485997150000000, "unique_pid": 34, "unique_ppid": 0, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "404202d6f0628331aaade8c8f9ef6feb", "opcode": 3, "parent_process_name": "explorer.exe", "parent_process_path": "C:\\Windows\\explorer.exe", "pid": 2604, "ppid": 2460, "process_name": "vmtoolsd.exe", "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", "serial_event_id": 35, "subtype": "create", "timestamp": 131485997150000000, "unique_pid": 35, "unique_ppid": 34, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "C:\\Windows\\system32\\SearchIndexer.exe /Embedding", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "ad31942bdf3d594c404874613bc2fe4d", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 1620, "ppid": 524, "process_name": "SearchIndexer.exe", "process_path": "C:\\Windows\\System32\\SearchIndexer.exe", "serial_event_id": 36, "subtype": "create", "timestamp": 131485997210000000, "unique_pid": 36, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "c78655bc80301d76ed4fef1c1ea40a7d", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 3684, "ppid": 524, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 37, "subtype": "create", "timestamp": 131485997750000000, "unique_pid": 37, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "LOCAL SERVICE" }, { "command_line": "C:\\Windows\\System32\\svchost.exe -k secsvcs", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "c78655bc80301d76ed4fef1c1ea40a7d", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 3712, "ppid": 524, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 38, "subtype": "create", "timestamp": 131485997750000000, "unique_pid": 38, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "\"C:\\Windows\\system32\\cmd.exe\" ", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "5746bd7e255dd6a8afa06f7c42c1ba41", "opcode": 3, "parent_process_name": "explorer.exe", "parent_process_path": "C:\\Windows\\explorer.exe", "pid": 2864, "ppid": 2460, "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "serial_event_id": 39, "subtype": "create", "timestamp": 131491838190000000, "unique_pid": 39, "unique_ppid": 34, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "bd51024fb014064bc9fe8c715c18392f", "opcode": 3, "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\System32\\csrss.exe", "pid": 2228, "ppid": 3048, "process_name": "conhost.exe", "process_path": "C:\\Windows\\System32\\conhost.exe", "serial_event_id": 40, "subtype": "create", "timestamp": 131491838190000000, "unique_pid": 40, "unique_ppid": 28, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "C:\\Windows\\system32\\svchost.exe -k SDRSVC", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "c78655bc80301d76ed4fef1c1ea40a7d", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 3820, "ppid": 524, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 41, "subtype": "create", "timestamp": 131491940310000000, "unique_pid": 41, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\servicing\\TrustedInstaller.exe", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "773212b2aaa24c1e31f10246b15b276c", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 3384, "ppid": 524, "process_name": "TrustedInstaller.exe", "process_path": "C:\\Windows\\servicing\\TrustedInstaller.exe", "serial_event_id": 42, "subtype": "create", "timestamp": 131509366130000000, "unique_pid": 42, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "8f4ecbbfe943030acfd9e892b2513ec1", "opcode": 3, "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "pid": 1860, "ppid": 648, "process_name": "WmiPrvSE.exe", "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "serial_event_id": 43, "subtype": "create", "timestamp": 131509366230000000, "unique_pid": 43, "unique_ppid": 11, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "taskeng.exe {6108575A-1CC2-4917-BB5D-5929CDC39B9C}", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "65ea57712340c09b1b0c427b4848ae05", "opcode": 3, "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "pid": 660, "ppid": 924, "process_name": "taskeng.exe", "process_path": "C:\\Windows\\System32\\taskeng.exe", "serial_event_id": 44, "subtype": "create", "timestamp": 131509371900000000, "unique_pid": 44, "unique_ppid": 17, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "C:\\Windows\\system32\\msiexec.exe /V", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "a190da6546501cb4146bbcc0b6a3f48b", "opcode": 3, "parent_process_name": "services.exe", "parent_process_path": "C:\\Windows\\System32\\services.exe", "pid": 760, "ppid": 524, "process_name": "msiexec.exe", "process_path": "C:\\Windows\\System32\\msiexec.exe", "serial_event_id": 45, "subtype": "create", "timestamp": 131509372370000000, "unique_pid": 45, "unique_ppid": 8, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "3e5cfefdda537ddbed9f5c6c7e926cdd", "opcode": 3, "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "pid": 2824, "ppid": 648, "process_name": "wsmprovhost.exe", "process_path": "C:\\Windows\\System32\\wsmprovhost.exe", "serial_event_id": 46, "subtype": "create", "timestamp": 131509373980000000, "unique_pid": 46, "unique_ppid": 11, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "3e5cfefdda537ddbed9f5c6c7e926cdd", "opcode": 3, "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "pid": 3408, "ppid": 648, "process_name": "wsmprovhost.exe", "process_path": "C:\\Windows\\System32\\wsmprovhost.exe", "serial_event_id": 47, "subtype": "create", "timestamp": 131509374020000000, "unique_pid": 47, "unique_ppid": 11, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "\"C:\\Python27\\python.exe\" worker.py --target c:\\workspace\\red_ttp\\process_name_masquerade.py", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "21f73cd55626f0ec9fbce53eafbef128", "opcode": 3, "parent_process_name": "wsmprovhost.exe", "parent_process_path": "C:\\Windows\\System32\\wsmprovhost.exe", "pid": 420, "ppid": 3408, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 48, "subtype": "create", "timestamp": 131509374020000000, "unique_pid": 48, "unique_ppid": 47, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "bd51024fb014064bc9fe8c715c18392f", "opcode": 3, "parent_process_name": "csrss.exe", "parent_process_path": "C:\\Windows\\System32\\csrss.exe", "pid": 3080, "ppid": 372, "process_name": "conhost.exe", "process_path": "C:\\Windows\\System32\\conhost.exe", "serial_event_id": 49, "subtype": "create", "timestamp": 131509374020000000, "unique_pid": 49, "unique_ppid": 4, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "C:\\Python27\\python.exe myappserver.py --log-file C:\\workspace\\dev\\myapp.out --update-server-port 8446 --sout C:\\workspace\\Libraries\\myapp\\myapp\\python\\myapp\\hunt_out.json", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "21f73cd55626f0ec9fbce53eafbef128", "opcode": 3, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 1688, "ppid": 420, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 50, "subtype": "create", "timestamp": 131509374100000000, "unique_pid": 50, "unique_ppid": 48, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "C:\\Python27\\python.exe C:\\workspace\\dev\\Simple_Https_Server\\simple_https_server.py", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "21f73cd55626f0ec9fbce53eafbef128", "opcode": 3, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 1720, "ppid": 420, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 51, "subtype": "create", "timestamp": 131509374100000000, "unique_pid": 51, "unique_ppid": 48, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "C:\\Windows\\System32\\LauncherProcess.exe", "event_subtype_full": "already_running", "event_type": "process", "event_type_full": "process_event", "md5": "6a8649f3205b311e208ac35a04e99700", "opcode": 3, "parent_process_name": "svchost.exe", "parent_process_path": "C:\\Windows\\System32\\svchost.exe", "pid": 2164, "ppid": 648, "process_name": "LauncherProcess.exe", "process_path": "C:\\Windows\\System32\\LauncherProcess.exe", "serial_event_id": 52, "subtype": "create", "timestamp": 131509374150000000, "unique_pid": 52, "unique_ppid": 11, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\system32\\cmd.exe /c \"c:\\workspace\\red_ttp\\process_name_masquerade.py\"", "event_subtype_full": "creation_event", "event_type": "process", "event_type_full": "process_event", "md5": "5746bd7e255dd6a8afa06f7c42c1ba41", "opcode": 1, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 1788, "ppid": 420, "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "serial_event_id": 53, "subtype": "create", "timestamp": 131509374294209140, "unique_pid": 53, "unique_ppid": 48, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "\"C:\\Python27\\python.exe\" \"C:\\workspace\\red_ttp\\process_name_masquerade.py\" ", "event_subtype_full": "creation_event", "event_type": "process", "event_type_full": "process_event", "md5": "21f73cd55626f0ec9fbce53eafbef128", "opcode": 1, "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "pid": 2256, "ppid": 1788, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 54, "subtype": "create", "timestamp": 131509374294365140, "unique_pid": 54, "unique_ppid": 53, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_create_event", "event_type": "file", "event_type_full": "file_event", "file_name": "svchost.exe", "file_path": "C:\\workspace\\red_ttp\\svchost.exe", "opcode": 0, "pid": 2256, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 55, "subtype": "create", "timestamp": 131509374295457140, "unique_pid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "svchost.exe", "event_subtype_full": "creation_event", "event_type": "process", "event_type_full": "process_event", "md5": "f49c54c4997a0401db0f6640a6111c52", "opcode": 1, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 2760, "ppid": 2256, "process_name": "svchost.exe", "process_path": "C:\\workspace\\red_ttp\\svchost.exe", "serial_event_id": 56, "subtype": "create", "timestamp": 131509374295613140, "unique_pid": 56, "unique_ppid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "bytes_written_count": 20, "bytes_written_string_list": [ "en-US", "en" ], "event_subtype_full": "registry_modify_event", "event_type": "registry", "event_type_full": "registry_event", "key_path": "\\REGISTRY\\USER\\S-1-5-21-3942132181-2402070379-3970972291-1001_CLASSES\\Local Settings\\MuiCache\\1B\\52C64B7E\\LanguageList", "key_type": "multiSz", "opcode": 1, "pid": 2460, "process_name": "explorer.exe", "process_path": "C:\\Windows\\explorer.exe", "registry_key": "\\REGISTRY\\USER\\S-1-5-21-3942132181-2402070379-3970972291-1001_CLASSES\\Local Settings\\MuiCache\\1B\\52C64B7E", "registry_path": "\\REGISTRY\\USER\\S-1-5-21-3942132181-2402070379-3970972291-1001_CLASSES\\Local Settings\\MuiCache\\1B\\52C64B7E\\LanguageList", "registry_type": "multi_string", "registry_value": "LanguageList", "serial_event_id": 57, "timestamp": 131509374306065200, "unique_pid": 34, "user_name": "vagrant" }, { "event_subtype_full": "termination_event", "event_type": "process", "event_type_full": "process_event", "exit_code": 0, "md5": "f49c54c4997a0401db0f6640a6111c52", "opcode": 2, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 2760, "ppid": 2256, "process_name": "svchost.exe", "process_path": "C:\\workspace\\red_ttp\\svchost.exe", "serial_event_id": 58, "subtype": "terminate", "timestamp": 131509374345689460, "unique_pid": 56, "unique_ppid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_delete_event", "event_type": "file", "event_type_full": "file_event", "file_name": "svchost.exe", "file_path": "C:\\workspace\\red_ttp\\svchost.exe", "opcode": 2, "pid": 2256, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 59, "subtype": "modify", "timestamp": 131509374345689460, "unique_pid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_create_event", "event_type": "file", "event_type_full": "file_event", "file_name": "SVCHOST.EXE-CB1B3AA2.pf", "file_path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-CB1B3AA2.pf", "opcode": 0, "pid": 896, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 60, "subtype": "create", "timestamp": 131509374345689460, "unique_pid": 16, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "event_subtype_full": "file_create_event", "event_type": "file", "event_type_full": "file_event", "file_name": "lsass.exe", "file_path": "C:\\workspace\\red_ttp\\lsass.exe", "opcode": 0, "pid": 2256, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 61, "subtype": "create", "timestamp": 131509374345689460, "unique_pid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "lsass.exe", "event_subtype_full": "creation_event", "event_type": "process", "event_type_full": "process_event", "md5": "f49c54c4997a0401db0f6640a6111c52", "opcode": 1, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 3696, "ppid": 2256, "process_name": "lsass.exe", "process_path": "C:\\workspace\\red_ttp\\lsass.exe", "serial_event_id": 62, "subtype": "create", "timestamp": 131509374345689460, "unique_pid": 62, "unique_ppid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "request_event", "event_type": "dns", "event_type_full": "dns_event", "opcode": 3008, "pid": 924, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "query_name": "teredo.ipv6.microsoft.com.", "serial_event_id": 63, "timestamp": 131509374350369490, "unique_pid": 17, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "event_subtype_full": "termination_event", "event_type": "process", "event_type_full": "process_event", "exit_code": 0, "md5": "f49c54c4997a0401db0f6640a6111c52", "opcode": 2, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 3696, "ppid": 2256, "process_name": "lsass.exe", "process_path": "C:\\workspace\\red_ttp\\lsass.exe", "serial_event_id": 64, "subtype": "terminate", "timestamp": 131509374395921780, "unique_pid": 62, "unique_ppid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_delete_event", "event_type": "file", "event_type_full": "file_event", "file_name": "lsass.exe", "file_path": "C:\\workspace\\red_ttp\\lsass.exe", "opcode": 2, "pid": 2256, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 65, "subtype": "modify", "timestamp": 131509374395921780, "unique_pid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_create_event", "event_type": "file", "event_type_full": "file_event", "file_name": "LSASS.EXE-02265BD5.pf", "file_path": "C:\\Windows\\Prefetch\\LSASS.EXE-02265BD5.pf", "opcode": 0, "pid": 896, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 66, "subtype": "create", "timestamp": 131509374395921780, "unique_pid": 16, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "event_subtype_full": "file_create_event", "event_type": "file", "event_type_full": "file_event", "file_name": "services.exe", "file_path": "C:\\workspace\\red_ttp\\services.exe", "opcode": 0, "pid": 2256, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 67, "subtype": "create", "timestamp": 131509374395921780, "unique_pid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "services.exe", "event_subtype_full": "creation_event", "event_type": "process", "event_type_full": "process_event", "md5": "f49c54c4997a0401db0f6640a6111c52", "opcode": 1, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 1832, "ppid": 2256, "process_name": "services.exe", "process_path": "C:\\workspace\\red_ttp\\services.exe", "serial_event_id": 68, "subtype": "create", "timestamp": 131509374395921780, "unique_pid": 68, "unique_ppid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "termination_event", "event_type": "process", "event_type_full": "process_event", "exit_code": 0, "md5": "f49c54c4997a0401db0f6640a6111c52", "opcode": 2, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 1832, "ppid": 2256, "process_name": "services.exe", "process_path": "C:\\workspace\\red_ttp\\services.exe", "serial_event_id": 69, "subtype": "terminate", "timestamp": 131509374446778110, "unique_pid": 68, "unique_ppid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_delete_event", "event_type": "file", "event_type_full": "file_event", "file_name": "services.exe", "file_path": "C:\\workspace\\red_ttp\\services.exe", "opcode": 2, "pid": 2256, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 70, "subtype": "modify", "timestamp": 131509374446778110, "unique_pid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_create_event", "event_type": "file", "event_type_full": "file_event", "file_name": "SERVICES.EXE-01D9177B.pf", "file_path": "C:\\Windows\\Prefetch\\SERVICES.EXE-01D9177B.pf", "opcode": 0, "pid": 896, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 71, "subtype": "create", "timestamp": 131509374446778110, "unique_pid": 16, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "event_subtype_full": "file_create_event", "event_type": "file", "event_type_full": "file_event", "file_name": "csrss.exe", "file_path": "C:\\workspace\\red_ttp\\csrss.exe", "opcode": 0, "pid": 2256, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 72, "subtype": "create", "timestamp": 131509374446778110, "unique_pid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "csrss.exe", "event_subtype_full": "creation_event", "event_type": "process", "event_type_full": "process_event", "md5": "f49c54c4997a0401db0f6640a6111c52", "opcode": 1, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 3948, "ppid": 2256, "process_name": "csrss.exe", "process_path": "C:\\workspace\\red_ttp\\csrss.exe", "serial_event_id": 73, "subtype": "create", "timestamp": 131509374446778110, "unique_pid": 73, "unique_ppid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "termination_event", "event_type": "process", "event_type_full": "process_event", "exit_code": 0, "md5": "f49c54c4997a0401db0f6640a6111c52", "opcode": 2, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 3948, "ppid": 2256, "process_name": "csrss.exe", "process_path": "C:\\workspace\\red_ttp\\csrss.exe", "serial_event_id": 74, "subtype": "terminate", "timestamp": 131509374497010430, "unique_pid": 73, "unique_ppid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_delete_event", "event_type": "file", "event_type_full": "file_event", "file_name": "csrss.exe", "file_path": "C:\\workspace\\red_ttp\\csrss.exe", "opcode": 2, "pid": 2256, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 75, "subtype": "modify", "timestamp": 131509374497010430, "unique_pid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_create_event", "event_type": "file", "event_type_full": "file_event", "file_name": "smss.exe", "file_path": "C:\\workspace\\red_ttp\\smss.exe", "opcode": 0, "pid": 2256, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 76, "subtype": "create", "timestamp": 131509374497010430, "unique_pid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_create_event", "event_type": "file", "event_type_full": "file_event", "file_name": "CSRSS.EXE-006B4E4D.pf", "file_path": "C:\\Windows\\Prefetch\\CSRSS.EXE-006B4E4D.pf", "opcode": 0, "pid": 896, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 77, "subtype": "create", "timestamp": 131509374497010430, "unique_pid": 16, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "smss.exe", "event_subtype_full": "creation_event", "event_type": "process", "event_type_full": "process_event", "md5": "f49c54c4997a0401db0f6640a6111c52", "opcode": 1, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 3720, "ppid": 2256, "process_name": "smss.exe", "process_path": "C:\\workspace\\red_ttp\\smss.exe", "serial_event_id": 78, "subtype": "create", "timestamp": 131509374497010430, "unique_pid": 78, "unique_ppid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "bytes_written_count": 80, "event_subtype_full": "registry_modify_event", "event_type": "registry", "event_type_full": "registry_event", "key_path": "\\REGISTRY\\MACHINE\\SAM\\SAM\\DOMAINS\\Account\\Users\\000003E9\\F", "key_type": "binary", "opcode": 1, "pid": 536, "process_name": "lsass.exe", "process_path": "C:\\Windows\\System32\\lsass.exe", "registry_key": "\\REGISTRY\\MACHINE\\SAM\\SAM\\DOMAINS\\Account\\Users\\000003E9", "registry_path": "\\REGISTRY\\MACHINE\\SAM\\SAM\\DOMAINS\\Account\\Users\\000003E9\\F", "registry_type": "binary", "registry_value": "F", "serial_event_id": 79, "timestamp": 131509374520566580, "unique_pid": 9, "user_name": "SYSTEM" }, { "event_subtype_full": "termination_event", "event_type": "process", "event_type_full": "process_event", "exit_code": 0, "md5": "f49c54c4997a0401db0f6640a6111c52", "opcode": 2, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 3720, "ppid": 2256, "process_name": "smss.exe", "process_path": "C:\\workspace\\red_ttp\\smss.exe", "serial_event_id": 80, "subtype": "terminate", "timestamp": 131509374547086750, "unique_pid": 78, "unique_ppid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_delete_event", "event_type": "file", "event_type_full": "file_event", "file_name": "smss.exe", "file_path": "C:\\workspace\\red_ttp\\smss.exe", "opcode": 2, "pid": 2256, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 81, "subtype": "modify", "timestamp": 131509374547086750, "unique_pid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_create_event", "event_type": "file", "event_type_full": "file_event", "file_name": "SMSS.EXE-8C66D82D.pf", "file_path": "C:\\Windows\\Prefetch\\SMSS.EXE-8C66D82D.pf", "opcode": 0, "pid": 896, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 82, "subtype": "create", "timestamp": 131509374547086750, "unique_pid": 16, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "event_subtype_full": "file_create_event", "event_type": "file", "event_type_full": "file_event", "file_name": "wininit.exe", "file_path": "C:\\workspace\\red_ttp\\wininit.exe", "opcode": 0, "pid": 2256, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 83, "subtype": "create", "timestamp": 131509374547086750, "unique_pid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "wininit.exe", "event_subtype_full": "creation_event", "event_type": "process", "event_type_full": "process_event", "md5": "f49c54c4997a0401db0f6640a6111c52", "opcode": 1, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 1680, "ppid": 2256, "process_name": "wininit.exe", "process_path": "C:\\workspace\\red_ttp\\wininit.exe", "serial_event_id": 84, "subtype": "create", "timestamp": 131509374547086750, "unique_pid": 84, "unique_ppid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "termination_event", "event_type": "process", "event_type_full": "process_event", "exit_code": 0, "md5": "f49c54c4997a0401db0f6640a6111c52", "opcode": 2, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 1680, "ppid": 2256, "process_name": "wininit.exe", "process_path": "C:\\workspace\\red_ttp\\wininit.exe", "serial_event_id": 85, "subtype": "terminate", "timestamp": 131509374597163070, "unique_pid": 84, "unique_ppid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_delete_event", "event_type": "file", "event_type_full": "file_event", "file_name": "wininit.exe", "file_path": "C:\\workspace\\red_ttp\\wininit.exe", "opcode": 2, "pid": 2256, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 86, "subtype": "modify", "timestamp": 131509374597163070, "unique_pid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_create_event", "event_type": "file", "event_type_full": "file_event", "file_name": "WININIT.EXE-F4D46129.pf", "file_path": "C:\\Windows\\Prefetch\\WININIT.EXE-F4D46129.pf", "opcode": 0, "pid": 896, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 87, "subtype": "create", "timestamp": 131509374597163070, "unique_pid": 16, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "event_subtype_full": "file_create_event", "event_type": "file", "event_type_full": "file_event", "file_name": "explorer.exe", "file_path": "C:\\workspace\\red_ttp\\explorer.exe", "opcode": 0, "pid": 2256, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 88, "subtype": "create", "timestamp": 131509374597163070, "unique_pid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "command_line": "explorer.exe", "event_subtype_full": "creation_event", "event_type": "process", "event_type_full": "process_event", "md5": "f49c54c4997a0401db0f6640a6111c52", "opcode": 1, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 4080, "ppid": 2256, "process_name": "explorer.exe", "process_path": "C:\\workspace\\red_ttp\\explorer.exe", "serial_event_id": 89, "subtype": "create", "timestamp": 131509374597163070, "unique_pid": 89, "unique_ppid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "termination_event", "event_type": "process", "event_type_full": "process_event", "exit_code": 0, "md5": "f49c54c4997a0401db0f6640a6111c52", "opcode": 2, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 4080, "ppid": 2256, "process_name": "explorer.exe", "process_path": "C:\\workspace\\red_ttp\\explorer.exe", "serial_event_id": 90, "subtype": "terminate", "timestamp": 131509374647239400, "unique_pid": 89, "unique_ppid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_delete_event", "event_type": "file", "event_type_full": "file_event", "file_name": "explorer.exe", "file_path": "C:\\workspace\\red_ttp\\explorer.exe", "opcode": 2, "pid": 2256, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 91, "subtype": "modify", "timestamp": 131509374647239400, "unique_pid": 54, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_create_event", "event_type": "file", "event_type_full": "file_event", "file_name": "EXPLORER.EXE-854AF04C.pf", "file_path": "C:\\Windows\\Prefetch\\EXPLORER.EXE-854AF04C.pf", "opcode": 0, "pid": 896, "process_name": "svchost.exe", "process_path": "C:\\Windows\\System32\\svchost.exe", "serial_event_id": 92, "subtype": "create", "timestamp": 131509374647239400, "unique_pid": 16, "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "event_subtype_full": "termination_event", "event_type": "process", "event_type_full": "process_event", "exit_code": 0, "md5": "21f73cd55626f0ec9fbce53eafbef128", "opcode": 2, "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "pid": 2256, "ppid": 1788, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 93, "subtype": "terminate", "timestamp": 131509374647239400, "unique_pid": 54, "unique_ppid": 53, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "termination_event", "event_type": "process", "event_type_full": "process_event", "exit_code": 0, "md5": "5746bd7e255dd6a8afa06f7c42c1ba41", "opcode": 2, "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 1788, "ppid": 420, "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", "serial_event_id": 94, "subtype": "terminate", "timestamp": 131509374647239400, "unique_pid": 53, "unique_ppid": 48, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_create_event", "event_type": "file", "event_type_full": "file_event", "file_name": "something.json", "file_path": "C:\\workspace\\dev\\TestLogs\\something.json", "opcode": 0, "pid": 420, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 95, "subtype": "create", "timestamp": 131509374647239400, "unique_pid": 48, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "file_create_event", "event_type": "file", "event_type_full": "file_event", "file_name": "something.json", "file_path": "C:\\workspace\\Libraries\\myapp\\myapp\\python\\myapp\\something.json", "opcode": 0, "pid": 420, "process_name": "python.exe", "process_path": "C:\\Python27\\python.exe", "serial_event_id": 96, "subtype": "create", "timestamp": 131509374647239400, "unique_pid": 48, "user_domain": "vagrant", "user_name": "vagrant" }, { "authentication_id": 854482244, "command_line": "net localgroup administrators findme2", "event_subtype_full": "creation_event", "event_type": "process", "event_type_full": "process_event", "md5": "63dd6fbaabf881385899fd39df13dce3", "opcode": 1, "original_file_name": "NET.exe", "parent_process_name": "cmd.exe", "parent_process_path": "C:\\Windows\\System32\\cmd.exe", "pid": 3608, "ppid": 392, "process_name": "net.exe", "process_path": "C:\\Windows\\System32\\net.exe", "serial_event_id": 97, "subtype": "create", "timestamp": 131605904083494370, "unique_pid": 750058, "unique_ppid": 707545, "user_domain": "vagrant", "user_name": "vagrant" }, { "authentication_id": 854482244, "command_line": "C:\\Windows\\system32\\net1 localgroup administrators findme2", "event_subtype_full": "creation_event", "event_type": "process", "event_type_full": "process_event", "md5": "3b6928bc39e5530cead1e99269e7b1ee", "opcode": 1, "original_file_name": "net1.exe", "parent_process_name": "net.exe", "parent_process_path": "C:\\Windows\\System32\\net.exe", "pid": 1348, "ppid": 3608, "process_name": "net1.exe", "process_path": "C:\\Windows\\System32\\net1.exe", "serial_event_id": 98, "subtype": "create", "timestamp": 131605904083806370, "unique_pid": 750059, "unique_ppid": 750058, "user_domain": "vagrant", "user_name": "vagrant" }, { "authentication_id": 13728872, "command_line": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe tmp-file.csproj", "event_subtype_full": "creation_event", "event_type": "process", "event_type_full": "process_event", "md5": "4b736b85e5de65e572f28a91e31b99bf", "opcode": 1, "original_file_name": "MSBuild.exe", "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 860, "ppid": 1196, "process_name": "MSBuild.exe", "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", "serial_event_id": 75273, "subtype": "create", "timestamp": 131762381484502110, "unique_pid": 75273, "unique_ppid": 75248, "user_domain": "vagrant", "user_name": "vagrant" }, { "event_subtype_full": "termination_event", "event_type": "process", "event_type_full": "process_event", "exit_code": 0, "md5": "4b736b85e5de65e572f28a91e31b99bf", "opcode": 2, "original_file_name": "MSBuild.exe", "parent_process_name": "python.exe", "parent_process_path": "C:\\Python27\\python.exe", "pid": 860, "ppid": 1196, "process_name": "MSBuild.exe", "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", "serial_event_id": 75303, "subtype": "terminate", "timestamp": 131762381493483680, "unique_pid": 75273, "unique_ppid": 75248, "user_domain": "vagrant", "user_name": "vagrant" }, { "destination_address": "10.6.48.157", "destination_port": 8000, "event_subtype_full": "ipv4_connection_attempt_event", "event_type": "network", "event_type_full": "network_event", "opcode": 12, "pid": 860, "process_name": "MSBuild.exe", "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", "protocol": "tcp", "serial_event_id": 75304, "source_address": "10.6.48.157", "source_port": 52178, "subtype": "outgoing", "timestamp": 131762381493039760, "unique_pid": 75273, "user_domain": "vagrant", "user_name": "vagrant" }, { "destination_address": "10.6.48.157", "destination_port": 8000, "event_subtype_full": "ipv4_connection_attempt_event", "event_type": "network", "event_type_full": "network_event", "mysterious_field": { "num": 100, "outer_cross_match": "s3-c-x-y", "subarray": [ { "a": "s0-a", "b": [ "s0-b" ], "c": [ { "x": { "y": "s0-c-x-y" }, "z": "s0-c0-x-z" }, { "x": { "y": "s0-c-x-y" }, "z": "s0-c1-x-z" } ], "cross_match": "s0-c1-x-z" }, { "a": "s1-a", "b": [ "s1-b" ], "c": [] }, { "a": "s2-a", "b": [ "s2-b" ], "c": [] }, { "a": "s3-a", "b": [ "s3-b" ], "c": [ { "x": { "y": "s3-c-x-y" }, "z": "s3-c-x-z" } ] } ], "this_is_for_testing_nested_data": "true" }, "opcode": 12, "pid": 10000, "process_name": "MSBuild.exe", "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", "protocol": "tcp", "serial_event_id": 75305, "source_address": "10.6.48.157", "source_port": 52178, "subtype": "outgoing", "timestamp": 131762381493039760, "unique_pid": 99999, "user_domain": "vagrant", "user_name": "vagrant" } ]