Event ID | Channel | Fields |
---|---|---|
1 | Microsoft-Windows-Sysmon/Operational |
Ancestors: System|C:\\Windows\\System32\\smss.exe|C:\\Windows\\System3 2\\smss.exe|C:\\Windows\\System32\\wininit.exe|C:\\Windows\\System32\\services.e xe CommandLine: C:\\Windows\\system32\\SecurityHealthService.exe Company: Microsoft Corporation CurrentDirectory: C:\\Windows\\system32\\ Description: Windows Security Health Service FileVersion: 4.18.1901.16384 (WinBuild.160101.0800) Hashes: SHA1=6506644A113031DF428C20CF4C278468B0C6E017,MD5=FB82EE231870 0D2A1CF497636A9B4710,SHA256=0F0FD4B9DFD555E4A53AE9070447E330EAAF96FF51F012CD9821 57DEDFDDD9A6,IMPHASH=6317654951BFF89546F311B469BB379F Image: C:\\Windows\\System32\\SecurityHealthService.exe ImageSize: 913168 IntegrityLevel: System IntegrityTimeout: false LogonGuid: {515cd0d1-6e1f-5f22-e703-000000000000} LogonId: 0x3e7 OriginalFileName: SecurityHealthService.exe ParentCommandLine: C:\\Windows\\system32\\services.exe ParentImage: C:\\Windows\\System32\\services.exe ParentIntegrityLevel: System ParentProcessGuid: {515cd0d1-6e1f-5f22-0b00-000000004100} ParentProcessId: 632 ParentProcessIntegrity: -1 ParentServices: N/A ParentUser: NT AUTHORITY\\SYSTEM ProcessGuid: {515cd0d1-6e40-5f22-8100-000000004100} ProcessId: 6540 ProcessIntegrity: -1 Product: Microsoft® Windows® Operating System RuleName: - Services: SecurityHealthService TerminalSessionId: 0 User: NT AUTHORITY\\SYSTEM UtcTime: 4242-04-24 13:37:42.422 |
2 | Microsoft-Windows-Sysmon/Operational |
CommandLine: \C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershe ll.exe\ CreationUtcTime: 2019-06-12 11:03:38.768 CurrentDirectory: C:\\Windows\\system32\\ Image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe ImageHashes: SHA1=36C5D12033B2EAF251BAE61C00690FFB17FDDC87,MD5=CDA48FC 75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D7636 7B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481 IntegrityLevel: High PreviousCreationUtcTime: 2020-07-30 06:53:07.109 ProcessGuid: {515cd0d1-6e50-5f22-9500-000000004100} ProcessId: 7220 RuleName: - Services: N/A TargetFilename: C:\\Users\\Generic\\AppData\\Roaming\\Microsoft\\Windo ws\\Recent\\CustomDestinations\\JXABLM89H2JOOX8OVGPR.temp User: DESKTOP-LJRVE06\\Generic UtcTime: 4242-04-24 13:37:42.422 |
3 | Microsoft-Windows-Sysmon/Operational |
CommandLine: C:\\Windows\\system32\\svchost.exe -k LocalServiceNetwork Restricted -p -s Dhcp CurrentDirectory: C:\\Windows\\system32\\ DestinationHostname: - DestinationIp: ff02:0:0:0:0:0:1:2 DestinationIsIpv6: true DestinationPort: 547 DestinationPortName: - Image: C:\\Windows\\System32\\svchost.exe ImageHashes: SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99 E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464 418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 Initiated: true IntegrityLevel: System ProcessGuid: {515cd0d1-6e20-5f22-2100-000000004100} ProcessId: 1424 Protocol: udp RuleName: - Services: Dhcp SourceHostname: - SourceIp: fe80:0:0:0:2ccd:2156:e8b4:895d SourceIsIpv6: true SourcePort: 546 SourcePortName: - User: NT AUTHORITY\\LOCAL SERVICE UtcTime: 4242-04-24 13:37:42.422 |
4 | Microsoft-Windows-Sysmon/Operational |
SchemaVersion: 4.32 State: Started UtcTime: 4242-04-24 13:37:42.422 Version: 11.10 |
5 | Microsoft-Windows-Sysmon/Operational |
CommandLine: \\SystemRoot\\System32\\smss.exe 000000ac 00000088 CurrentDirectory: C:\\Windows\\ Image: C:\\Windows\\System32\\smss.exe ImageHashes: SHA1=913D1903C43636A9D760D084B821908139651790,MD5=6CE9396 7F7235F88940092E88AD18AAB,SHA256=14A5FB352FD89A8969147FEEE9473BE2086391AF7D5AF0D 2D5583F4A324826DF,IMPHASH=BC32B6662261DE8469D6EB034C62A6A5 IntegrityLevel: System ProcessGuid: {515cd0d1-6e1e-5f22-0500-000000004100} ProcessId: 416 RuleName: - Services: gpsvc User: NT AUTHORITY\\SYSTEM UtcTime: 4242-04-24 13:37:42.422 |
6 | Microsoft-Windows-Sysmon/Operational |
Hashes: SHA1=D1F95AB2E3B6EF27639E72AE1335D9D00007698B,MD5=7DE33B6BCD21 13B39090D005BA5CFE9E,SHA256=1E84F2E321BB303320F6A40CC1EF22328BC162C9E433E4559F7D 42160058EA78,IMPHASH=DE167A0100AD87EB2C9E1534AB9385B4 ImageLoaded: C:\\Windows\\System32\\drivers\\null.sys ImageLoadedSize: 7680 RuleName: - Signature: Microsoft Windows SignatureStatus: Valid Signed: true UtcTime: 4242-04-24 13:37:42.422 |
7 | Microsoft-Windows-Sysmon/Operational |
CommandLine: %%SystemRoot%%\\system32\\csrss.exe ObjectDirectory=\\Win dows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=bas esrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 Profile Control=Off MaxRequestThreads=16 Company: Microsoft Corporation CurrentDirectory: C:\\Windows\\system32\\ Description: Client Server Runtime Process FileVersion: 10.0.18362.1 (WinBuild.160101.0800) Hashes: SHA1=2038501676866B87CEE4514CEFF77DAEA9729F30,MD5=23019322FFEC B179746210BE52D6DE60,SHA256=F2C7D894ABE8AC0B4C2A597CAA6B3EFE7AD2BDB4226845798D95 4C5AB9C9BF15,IMPHASH=A96FA9912E09E361274AD77F1A4B252C Image: C:\\Windows\\System32\\csrss.exe ImageHashes: SHA1=2038501676866B87CEE4514CEFF77DAEA9729F30,MD5=2301932 2FFECB179746210BE52D6DE60,SHA256=F2C7D894ABE8AC0B4C2A597CAA6B3EFE7AD2BDB42268457 98D954C5AB9C9BF15,IMPHASH=A96FA9912E09E361274AD77F1A4B252C ImageLoaded: C:\\Windows\\System32\\csrss.exe ImageLoadedSize: 17808 IntegrityLevel: System OriginalFileName: CSRSS.Exe ParentCommandLine: \\SystemRoot\\System32\\smss.exe 000000ac 00000088 ParentImage: C:\\Windows\\System32\\smss.exe ProcessGuid: {515cd0d1-6e1e-5f22-0600-000000004100} ProcessId: 424 Product: Microsoft® Windows® Operating System RuleName: - Services: N/A Signature: Microsoft Windows Publisher SignatureStatus: Valid Signed: true User: NT AUTHORITY\\SYSTEM UtcTime: 4242-04-24 13:37:42.422 |
8 | ||
9 | Microsoft-Windows-Sysmon/Operational |
CommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wuaus erv CurrentDirectory: C:\\Windows\\system32\\ Device: \\Device\\HarddiskVolume2 Image: C:\\Windows\\System32\\svchost.exe ImageHashes: SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99 E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464 418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 IntegrityLevel: System ProcessGuid: {515cd0d1-6e21-5f22-3d00-000000004100} ProcessId: 2296 RuleName: - Services: wuauserv User: NT AUTHORITY\\SYSTEM UtcTime: 4242-04-24 13:37:42.422 |
10 | Microsoft-Windows-Sysmon/Operational |
CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9c524|C:\\Windows\\System3 2\\KERNELBASE.dll+6a685|c:\\windows\\system32\\lsm.dll+ff97|C:\\Windows\\System3 2\\RPCRT4.dll+76963|C:\\Windows\\System32\\RPCRT4.dll+da036|C:\\Windows\\System3 2\\RPCRT4.dll+37a5c|C:\\Windows\\System32\\RPCRT4.dll+548d8|C:\\Windows\\System3 2\\RPCRT4.dll+2c931|C:\\Windows\\System32\\RPCRT4.dll+2c1eb|C:\\Windows\\System3 2\\RPCRT4.dll+1a86f|C:\\Windows\\System32\\RPCRT4.dll+19d1a|C:\\Windows\\System3 2\\RPCRT4.dll+19301|C:\\Windows\\System32\\RPCRT4.dll+18d6e|C:\\Windows\\System3 2\\RPCRT4.dll+169a5|C:\\Windows\\SYSTEM32\\ntdll.dll+333fd|C:\\Windows\\SYSTEM32 \\ntdll.dll+34152|C:\\Windows\\System32\\KERNEL32.DLL+17944|C:\\Windows\\SYSTEM3 2\\ntdll.dll+6ce71 GrantedAccess: 0x1000 RuleName: - SourceHashes: SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A9 9E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A46 4418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 SourceImage: C:\\Windows\\system32\\svchost.exe SourceIntegrityLevel: System SourceProcessGUID: {515cd0d1-6e1f-5f22-1200-000000004100} SourceProcessId: 928 SourceServices: LSM SourceThreadId: 956 SourceUser: NT AUTHORITY\\SYSTEM TargetHashes: SHA1=9FE3BA25E5660C23DFE478D577CFACDE5795870C,MD5=03C709 33698C6E3E466076DD9C3FAA18,SHA256=AA52B2D3DD4B9B47FF4496C0460BDEDDA791354018CF07 82B899EF28ACEE8D21,IMPHASH=09FDE88C65E2BC5F1F90E96B673C52B1 TargetImage: C:\\Windows\\system32\\lsass.exe TargetIntegrityLevel: System TargetParentProcessGuid: {515cd0d1-6e1e-5f22-0800-000000004100} TargetProcessGUID: {515cd0d1-6e1f-5f22-0c00-000000004100} TargetProcessId: 652 TargetServices: KeyIso,SamSs TargetUser: NT AUTHORITY\\SYSTEM UtcTime: 4242-04-24 13:37:42.422 |
11 | Microsoft-Windows-Sysmon/Operational |
CommandLine: \C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_1 2007.1001.2.0_x64__8wekyb3d8bbwe\\WinStore.App.exe\ -ServerName:App.AppXc75wvwne d5vhz4xyxxecvgdjhdkgsdza.mca CreationUtcTime: 2020-07-21 06:16:09.011 CurrentDirectory: C:\\Program Files\\WindowsApps\\Microsoft.WindowsSto re_12007.1001.2.0_x64__8wekyb3d8bbwe\\ Image: C:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_12007.10 01.2.0_x64__8wekyb3d8bbwe\\WinStore.App.exe ImageHashes: SHA1=A70B1B664DFAD439CFEFACCBC6690E157DC23633,MD5=C1B3806 40D11FEC6CBB35FF20F58A17E,SHA256=3AF6BE21B6DFC06E3A3A78CC726CFA2007854244E74C8A4 21B09ECBE0C12EC61,IMPHASH=CA878514C158EF3E1C1EE824024717CA IntegrityLevel: AppContainer ProcessGuid: {515cd0d1-6e6f-5f22-9f00-000000004100} ProcessId: 7960 RuleName: - Services: N/A TargetFilename: C:\\Users\\Generic\\AppData\\Local\\Packages\\Microsof t.WindowsStore_8wekyb3d8bbwe\\LocalCache\\perUserCache_0\\index User: DESKTOP-LJRVE06\\Generic UtcTime: 4242-04-24 13:37:42.422 |
12 | Microsoft-Windows-Sysmon/Operational |
EventType: CreateKey Image: System ProcessGuid: {515cd0d1-6e1b-5f22-0100-000000004100} ProcessId: 4 RuleName: - TargetObject: HKLM\\System\\CurrentControlSet\\Enum\\PCI\\VEN_8086& ;DEV_2668&SUBSYS_76808384&REV_01\\3&267a616a&0&28\\Device Pa rameters\\Interrupt Management UtcTime: 4242-04-24 13:37:42.422 |
13 | Microsoft-Windows-Sysmon/Operational |
Details: Binary Data EventType: SetValue Image: System ProcessGuid: {515cd0d1-6e1b-5f22-0100-000000004100} ProcessId: 4 RuleName: - TargetObject: HKLM\\System\\CurrentControlSet\\Enum\\STORAGE\\Volume\\ {1eeaac07-8cf7-11e9-9661-806e6f6e6963}#0000000000100000\\Properties\\{83da6326-9 7a6-4088-9453-a1923f573b29}\\0066\\(Default) UtcTime: 4242-04-24 13:37:42.422 |
14 | ||
15 | ||
16 | ||
17 | Microsoft-Windows-Sysmon/Operational |
CommandLine: C:\\Windows\\System32\\svchost.exe -k LocalServiceNetwork Restricted -p -s EventLog CurrentDirectory: C:\\Windows\\system32\\ EventType: CreatePipe Image: C:\\Windows\\System32\\svchost.exe ImageHashes: SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99 E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464 418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 IntegrityLevel: System PipeName: \\Winsock2\\CatalogChangeListener-4fc-0 ProcessGuid: {515cd0d1-6e20-5f22-1d00-000000004100} ProcessId: 1276 RuleName: - Services: EventLog User: NT AUTHORITY\\LOCAL SERVICE UtcTime: 4242-04-24 13:37:42.422 |
18 | Microsoft-Windows-Sysmon/Operational |
CommandLine: C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embed ding CurrentDirectory: C:\\Windows\\system32\\ EventType: ConnectPipe Image: C:\\Windows\\system32\\wbem\\wmiprvse.exe ImageHashes: SHA1=51B8646308EE0B68AD1F7F1291B85395434DE49A,MD5=801E800 3C257C8F540B20F1E0DECD3A6,SHA256=A75C85F3B089993E9C042FB82ECB7757E8F460ED8065FC7 991CAA38A6DE0F50C,IMPHASH=CC058866636CC184AD452F88EE39368A IntegrityLevel: System PipeName: \\lsass ProcessGuid: {515cd0d1-6e21-5f22-4100-000000004100} ProcessId: 2744 RuleName: - Services: N/A User: NT AUTHORITY\\NETWORK SERVICE UtcTime: 4242-04-24 13:37:42.422 |
19 | ||
20 | ||
21 | ||
22 | Microsoft-Windows-Sysmon/Operational |
CommandLine: C:\\Windows\\System32\\spoolsv.exe CurrentDirectory: C:\\Windows\\system32\\ Image: C:\\Windows\\System32\\spoolsv.exe ImageHashes: SHA1=D5F2D846DC244E840BE558D9D21BF4BEF5FAA4D6,MD5=1096F67 170CCD4DCE97D2DE3FC421712,SHA256=A26658A11FB78B9EDB9189A7DF3CB69DF24AF1B57941543 F53FE5A90E02FEB8C,IMPHASH=3908F13E6362FF821A5A7A58C7C88A99 IntegrityLevel: System ProcessGuid: {515cd0d1-6e21-5f22-3f00-000000004100} ProcessId: 2476 QueryName: DESKTOP-LJRVE06 QueryResults: 10.0.2.15; QueryStatus: 0 RuleName: - Services: Spooler User: NT AUTHORITY\\SYSTEM UtcTime: 4242-04-24 13:37:42.422 |
23 | Microsoft-Windows-Sysmon/Operational |
Archived: true CommandLine: C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkR estricted -p -s SysMain CurrentDirectory: C:\\Windows\\system32\\ Hashes: SHA1=C8180192DDCFAC99F0A4AA693D155D2F04AB4577,MD5=250748E3EAE1 5E3277916ED7EC8E6D95,SHA256=9514A9D8A33DA79A67167EA64DCE2AFDEAA5A9184A35B40674F8 784166D9168A,IMPHASH=00000000000000000000000000000000 Image: C:\\Windows\\system32\\svchost.exe ImageHashes: SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99 E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464 418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69 IntegrityLevel: System IsExecutable: false ProcessGuid: {515cd0d1-6e20-5f22-2700-000000004100} ProcessId: 1716 RuleName: - Services: SysMain TargetFilename: C:\\Windows\\Prefetch\\WSL.EXE-59D55F1E.pf User: NT AUTHORITY\\SYSTEM UtcTime: 4242-04-24 13:37:42.422 |