forked from google/grr
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrekall_pslist_result.dat
1 lines (1 loc) · 44.9 KB
/
rekall_pslist_result.dat
1
[["l",{}],["m",{"tool_name":"rekall","plugin_name":"pslist","tool_version":"1.0rc11"}],["t",[{"cname":"_EPROCESS","type":"_EPROCESS"},{"width":6,"align":"r","cname":"ppid","name":"PPID"},{"width":6,"align":"r","cname":"thread_count","name":"Thds"},{"width":8,"align":"r","cname":"handle_count","name":"Hnds"},{"width":6,"align":"r","cname":"session_id","name":"Sess"},{"width":6,"align":"r","cname":"wow64","name":"Wow64"},{"width":24,"cname":"process_create_time","name":"Start"},{"width":24,"cname":"process_exit_time","name":"Exit"}],{}],["p","%(name)s: Merging Address Ranges %(spinner)s",[],{"name":["*","Kernel AS@0x187000"]}],["r",{"process_create_time":{"epoch":1329940700,"type_name":["*","UnixTimeStamp"],"id":47464,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:20+0000"},"handle_count":489,"thread_count":78,"session_id":null,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":47465,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":0,"Name":"System","Creation_Time":{"epoch":1329940700,"type_name":["*","UnixTimeStamp"],"id":47491,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:20+0000"},"PID":4,"Image_Info":{"File_Name":"","type":"ProcessObj:ImageInfoType","Command_Line":null,"Path":null},"type":"ProcessObj:ProcessObjectType"},"offset":275427667675616,"id":47077},"wow64":false,"ppid":0}],["r",{"process_create_time":{"epoch":1329940700,"type_name":["*","UnixTimeStamp"],"id":47598,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:20+0000"},"handle_count":29,"thread_count":2,"session_id":null,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":47599,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":4,"Name":"smss.exe","Creation_Time":{"epoch":1329940700,"type_name":["*","UnixTimeStamp"],"id":47627,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:20+0000"},"PID":208,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\smss.exe","type":"ProcessObj:ImageInfoType","Command_Line":"\\SystemRoot\\System32\\smss.exe","Path":"\\SystemRoot\\System32\\smss.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427676297200,"id":47129},"wow64":false,"ppid":4}],["r",{"process_create_time":{"epoch":1329940704,"type_name":["*","UnixTimeStamp"],"id":47772,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:24+0000"},"handle_count":385,"thread_count":9,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":47773,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":288,"Name":"csrss.exe","Creation_Time":{"epoch":1329940704,"type_name":["*","UnixTimeStamp"],"id":47801,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:24+0000"},"PID":296,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\csrss.exe","type":"ProcessObj:ImageInfoType","Command_Line":"%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16","Path":"C:\\Windows\\system32\\csrss.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427675342528,"id":47097},"wow64":false,"ppid":288}],["r",{"process_create_time":{"epoch":1329940710,"type_name":["*","UnixTimeStamp"],"id":47947,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:30+0000"},"handle_count":74,"thread_count":3,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":47948,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":288,"Name":"wininit.exe","Creation_Time":{"epoch":1329940710,"type_name":["*","UnixTimeStamp"],"id":47976,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:30+0000"},"PID":332,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\wininit.exe","type":"ProcessObj:ImageInfoType","Command_Line":"wininit.exe","Path":"C:\\Windows\\system32\\wininit.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427675939584,"id":47069},"wow64":false,"ppid":288}],["r",{"process_create_time":{"epoch":1329940710,"type_name":["*","UnixTimeStamp"],"id":48122,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:30+0000"},"handle_count":252,"thread_count":7,"session_id":1,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":48123,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":324,"Name":"csrss.exe","Creation_Time":{"epoch":1329940710,"type_name":["*","UnixTimeStamp"],"id":48151,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:30+0000"},"PID":344,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\csrss.exe","type":"ProcessObj:ImageInfoType","Command_Line":"%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16","Path":"C:\\Windows\\system32\\csrss.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427675368240,"id":47081},"wow64":false,"ppid":324}],["r",{"process_create_time":{"epoch":1329940927,"type_name":["*","UnixTimeStamp"],"id":48297,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:07+0000"},"handle_count":338,"thread_count":14,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":48298,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":428,"Name":"svchost.exe","Creation_Time":{"epoch":1329940927,"type_name":["*","UnixTimeStamp"],"id":48326,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:07+0000"},"PID":348,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\system32\\svchost.exe -k LocalService","Path":"C:\\Windows\\system32\\svchost.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427675752512,"id":47099},"wow64":false,"ppid":428}],["r",{"process_create_time":{"epoch":1329940711,"type_name":["*","UnixTimeStamp"],"id":48472,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:31+0000"},"handle_count":136,"thread_count":5,"session_id":1,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":48473,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":324,"Name":"winlogon.exe","Creation_Time":{"epoch":1329940711,"type_name":["*","UnixTimeStamp"],"id":48501,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:31+0000"},"PID":372,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\winlogon.exe","type":"ProcessObj:ImageInfoType","Command_Line":"winlogon.exe","Path":"C:\\Windows\\system32\\winlogon.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427675867952,"id":47135},"wow64":false,"ppid":324}],["r",{"process_create_time":{"epoch":1329940712,"type_name":["*","UnixTimeStamp"],"id":48647,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:32+0000"},"handle_count":193,"thread_count":6,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":48648,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":332,"Name":"services.exe","Creation_Time":{"epoch":1329940712,"type_name":["*","UnixTimeStamp"],"id":48676,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:32+0000"},"PID":428,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\services.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\system32\\services.exe","Path":"C:\\Windows\\system32\\services.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427675728688,"id":47133},"wow64":false,"ppid":332}],["r",{"process_create_time":{"epoch":1329940712,"type_name":["*","UnixTimeStamp"],"id":48822,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:32+0000"},"handle_count":557,"thread_count":6,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":48823,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":332,"Name":"lsass.exe","Creation_Time":{"epoch":1329940712,"type_name":["*","UnixTimeStamp"],"id":48851,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:32+0000"},"PID":444,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\lsass.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\system32\\lsass.exe","Path":"C:\\Windows\\system32\\lsass.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427681392384,"id":47067},"wow64":false,"ppid":332}],["r",{"process_create_time":{"epoch":1329940712,"type_name":["*","UnixTimeStamp"],"id":48997,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:32+0000"},"handle_count":133,"thread_count":10,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":48998,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":332,"Name":"lsm.exe","Creation_Time":{"epoch":1329940712,"type_name":["*","UnixTimeStamp"],"id":49026,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:32+0000"},"PID":452,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\lsm.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\system32\\lsm.exe","Path":"C:\\Windows\\system32\\lsm.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427678106032,"id":47091},"wow64":false,"ppid":332}],["r",{"process_create_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":49160,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"handle_count":null,"thread_count":0,"session_id":null,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":49161,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":0,"Name":"","Creation_Time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":49188,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"PID":504,"Image_Info":{"File_Name":null,"type":"ProcessObj:ImageInfoType","Command_Line":null,"Path":null},"type":"ProcessObj:ProcessObjectType"},"offset":275427678271376,"id":47083},"wow64":false,"ppid":0}],["r",{"process_create_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":49283,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"handle_count":null,"thread_count":0,"session_id":null,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":49284,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":0,"Name":"","Creation_Time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":49311,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"PID":504,"Image_Info":{"File_Name":null,"type":"ProcessObj:ImageInfoType","Command_Line":null,"Path":null},"type":"ProcessObj:ProcessObjectType"},"offset":275427678814304,"id":47087},"wow64":false,"ppid":0}],["r",{"process_create_time":{"epoch":1329940927,"type_name":["*","UnixTimeStamp"],"id":49418,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:07+0000"},"handle_count":496,"thread_count":16,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":49419,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":428,"Name":"svchost.exe","Creation_Time":{"epoch":1329940927,"type_name":["*","UnixTimeStamp"],"id":49447,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:07+0000"},"PID":504,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\System32\\svchost.exe -k NetworkService","Path":"C:\\Windows\\System32\\svchost.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427675379248,"id":47115},"wow64":false,"ppid":428}],["r",{"process_create_time":{"epoch":1329940714,"type_name":["*","UnixTimeStamp"],"id":49593,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:34+0000"},"handle_count":352,"thread_count":10,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":49594,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":428,"Name":"svchost.exe","Creation_Time":{"epoch":1329940714,"type_name":["*","UnixTimeStamp"],"id":49622,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:34+0000"},"PID":568,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\system32\\svchost.exe -k DcomLaunch","Path":"C:\\Windows\\system32\\svchost.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427682249520,"id":47111},"wow64":false,"ppid":428}],["r",{"process_create_time":{"epoch":1329940714,"type_name":["*","UnixTimeStamp"],"id":49768,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:34+0000"},"handle_count":247,"thread_count":6,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":49769,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":428,"Name":"svchost.exe","Creation_Time":{"epoch":1329940714,"type_name":["*","UnixTimeStamp"],"id":49797,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:34+0000"},"PID":628,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\system32\\svchost.exe -k RPCSS","Path":"C:\\Windows\\system32\\svchost.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427682432544,"id":47079},"wow64":false,"ppid":428}],["r",{"process_create_time":{"epoch":1329940721,"type_name":["*","UnixTimeStamp"],"id":49943,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:41+0000"},"handle_count":154,"thread_count":5,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":49944,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":428,"Name":"sppsvc.exe","Creation_Time":{"epoch":1329940721,"type_name":["*","UnixTimeStamp"],"id":49972,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:41+0000"},"PID":816,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\sppsvc.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\system32\\sppsvc.exe","Path":"C:\\Windows\\system32\\sppsvc.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427682834768,"id":47107},"wow64":false,"ppid":428}],["r",{"process_create_time":{"epoch":1329940723,"type_name":["*","UnixTimeStamp"],"id":50118,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:43+0000"},"handle_count":404,"thread_count":16,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":50119,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":428,"Name":"svchost.exe","Creation_Time":{"epoch":1329940723,"type_name":["*","UnixTimeStamp"],"id":50147,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:43+0000"},"PID":856,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted","Path":"C:\\Windows\\System32\\svchost.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427670849888,"id":47121},"wow64":false,"ppid":428}],["r",{"process_create_time":{"epoch":1329940723,"type_name":["*","UnixTimeStamp"],"id":50293,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:43+0000"},"handle_count":1118,"thread_count":34,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":50294,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":428,"Name":"svchost.exe","Creation_Time":{"epoch":1329940723,"type_name":["*","UnixTimeStamp"],"id":50322,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:43+0000"},"PID":880,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\system32\\svchost.exe -k netsvcs","Path":"C:\\Windows\\system32\\svchost.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427670865744,"id":47123},"wow64":false,"ppid":428}],["r",{"process_create_time":{"epoch":1329940723,"type_name":["*","UnixTimeStamp"],"id":50468,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:43+0000"},"handle_count":443,"thread_count":19,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":50469,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":428,"Name":"svchost.exe","Creation_Time":{"epoch":1329940723,"type_name":["*","UnixTimeStamp"],"id":50497,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 19:58:43+0000"},"PID":916,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","type":"ProcessObj:ImageInfoType","Command_Line":null,"Path":null},"type":"ProcessObj:ProcessObjectType"},"offset":275427670952416,"id":47101},"wow64":false,"ppid":428}],["r",{"process_create_time":{"epoch":1329940930,"type_name":["*","UnixTimeStamp"],"id":50625,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:10+0000"},"handle_count":271,"thread_count":12,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":50626,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":428,"Name":"spoolsv.exe","Creation_Time":{"epoch":1329940930,"type_name":["*","UnixTimeStamp"],"id":50654,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:10+0000"},"PID":1076,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\spoolsv.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\System32\\spoolsv.exe","Path":"C:\\Windows\\System32\\spoolsv.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427677988496,"id":47071},"wow64":false,"ppid":428}],["r",{"process_create_time":{"epoch":1329940930,"type_name":["*","UnixTimeStamp"],"id":50800,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:10+0000"},"handle_count":307,"thread_count":18,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":50801,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":428,"Name":"svchost.exe","Creation_Time":{"epoch":1329940930,"type_name":["*","UnixTimeStamp"],"id":50829,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:10+0000"},"PID":1104,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork","Path":"C:\\Windows\\system32\\svchost.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427668101936,"id":47119},"wow64":false,"ppid":428}],["r",{"process_create_time":{"epoch":1329940961,"type_name":["*","UnixTimeStamp"],"id":50975,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:41+0000"},"handle_count":189,"thread_count":7,"session_id":1,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":50976,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":428,"Name":"taskhost.exe","Creation_Time":{"epoch":1329940961,"type_name":["*","UnixTimeStamp"],"id":51004,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:41+0000"},"PID":1144,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\taskhost.exe","type":"ProcessObj:ImageInfoType","Command_Line":"\"taskhost.exe\"","Path":"C:\\Windows\\system32\\taskhost.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427674203696,"id":47117},"wow64":false,"ppid":428}],["r",{"process_create_time":{"epoch":1329940985,"type_name":["*","UnixTimeStamp"],"id":51149,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:03:05+0000"},"handle_count":null,"thread_count":0,"session_id":1,"process_exit_time":{"epoch":1329940988,"type_name":["*","UnixTimeStamp"],"id":51150,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:03:08+0000"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":1652,"Name":"regsvr32.exe","Creation_Time":{"epoch":1329940985,"type_name":["*","UnixTimeStamp"],"id":51176,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:03:05+0000"},"PID":1180,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\regsvr32.exe","type":"ProcessObj:ImageInfoType","Command_Line":null,"Path":null},"type":"ProcessObj:ProcessObjectType"},"offset":275427675973168,"id":47113},"wow64":false,"ppid":1652}],["r",{"process_create_time":{"epoch":1329940931,"type_name":["*","UnixTimeStamp"],"id":51302,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:11+0000"},"handle_count":43,"thread_count":4,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":51303,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":428,"Name":"wlms.exe","Creation_Time":{"epoch":1329940931,"type_name":["*","UnixTimeStamp"],"id":51331,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:11+0000"},"PID":1264,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\wlms\\wlms.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\system32\\wlms\\wlms.exe","Path":"C:\\Windows\\system32\\wlms\\wlms.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427672512864,"id":47073},"wow64":false,"ppid":428}],["r",{"process_create_time":{"epoch":1329941054,"type_name":["*","UnixTimeStamp"],"id":51477,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:04:14+0000"},"handle_count":350,"thread_count":12,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":51478,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":428,"Name":"svchost.exe","Creation_Time":{"epoch":1329941054,"type_name":["*","UnixTimeStamp"],"id":51506,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:04:14+0000"},"PID":1432,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\System32\\svchost.exe -k secsvcs","Path":"C:\\Windows\\System32\\svchost.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427673568816,"id":47131},"wow64":false,"ppid":428}],["r",{"process_create_time":{"epoch":1329940961,"type_name":["*","UnixTimeStamp"],"id":51652,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:41+0000"},"handle_count":71,"thread_count":3,"session_id":1,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":51653,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":856,"Name":"dwm.exe","Creation_Time":{"epoch":1329940961,"type_name":["*","UnixTimeStamp"],"id":51681,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:41+0000"},"PID":1476,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\dwm.exe","type":"ProcessObj:ImageInfoType","Command_Line":"\"C:\\Windows\\system32\\Dwm.exe\"","Path":"C:\\Windows\\system32\\Dwm.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427678157616,"id":47095},"wow64":false,"ppid":856}],["r",{"process_create_time":{"epoch":1329940962,"type_name":["*","UnixTimeStamp"],"id":51827,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:42+0000"},"handle_count":760,"thread_count":21,"session_id":1,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":51828,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":840,"Name":"explorer.exe","Creation_Time":{"epoch":1329940962,"type_name":["*","UnixTimeStamp"],"id":51856,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:42+0000"},"PID":1652,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\explorer.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\Explorer.EXE","Path":"C:\\Windows\\Explorer.EXE"},"type":"ProcessObj:ProcessObjectType"},"offset":275427672142880,"id":47125},"wow64":false,"ppid":840}],["r",{"process_create_time":{"epoch":1329940945,"type_name":["*","UnixTimeStamp"],"id":52002,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:25+0000"},"handle_count":200,"thread_count":12,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":52003,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":428,"Name":"svchost.exe","Creation_Time":{"epoch":1329940945,"type_name":["*","UnixTimeStamp"],"id":52031,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:25+0000"},"PID":1736,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\svchost.exe","type":"ProcessObj:ImageInfoType","Command_Line":null,"Path":null},"type":"ProcessObj:ProcessObjectType"},"offset":275427672808240,"id":47109},"wow64":false,"ppid":428}],["r",{"process_create_time":{"epoch":1329940946,"type_name":["*","UnixTimeStamp"],"id":52159,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:26+0000"},"handle_count":757,"thread_count":12,"session_id":0,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":52160,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":428,"Name":"SearchIndexer.","Creation_Time":{"epoch":1329940946,"type_name":["*","UnixTimeStamp"],"id":52188,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:02:26+0000"},"PID":1800,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\SearchIndexer.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\system32\\SearchIndexer.exe /Embedding","Path":"C:\\Windows\\system32\\SearchIndexer.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427673901872,"id":47137},"wow64":false,"ppid":428}],["r",{"process_create_time":{"epoch":1329909972,"type_name":["*","UnixTimeStamp"],"id":52334,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 11:26:12+0000"},"handle_count":688,"thread_count":19,"session_id":1,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":52335,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":1652,"Name":"iexplore.exe","Creation_Time":{"epoch":1329909972,"type_name":["*","UnixTimeStamp"],"id":52363,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 11:26:12+0000"},"PID":1892,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Program Files (x86)\\Internet Explorer\\iexplore.exe","type":"ProcessObj:ImageInfoType","Command_Line":"\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" ","Path":"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427672823680,"id":47103},"wow64":true,"ppid":1652}],["r",{"process_create_time":{"epoch":1329940996,"type_name":["*","UnixTimeStamp"],"id":52509,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:03:16+0000"},"handle_count":67,"thread_count":3,"session_id":1,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":52510,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":568,"Name":"rundll32.exe","Creation_Time":{"epoch":1329940996,"type_name":["*","UnixTimeStamp"],"id":52538,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 20:03:16+0000"},"PID":2016,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\rundll32.exe","type":"ProcessObj:ImageInfoType","Command_Line":"C:\\Windows\\System32\\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding","Path":"C:\\Windows\\System32\\rundll32.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427673258800,"id":47089},"wow64":false,"ppid":568}],["r",{"process_create_time":{"epoch":1329910205,"type_name":["*","UnixTimeStamp"],"id":52682,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 11:30:05+0000"},"handle_count":null,"thread_count":0,"session_id":null,"process_exit_time":{"epoch":1329910272,"type_name":["*","UnixTimeStamp"],"id":52683,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 11:31:12+0000"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":1800,"Name":"SearchProtocol","Creation_Time":{"epoch":1329910205,"type_name":["*","UnixTimeStamp"],"id":52706,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 11:30:05+0000"},"PID":2096,"Image_Info":{"File_Name":null,"type":"ProcessObj:ImageInfoType","Command_Line":null,"Path":null},"type":"ProcessObj:ProcessObjectType"},"offset":275427679740000,"id":47093},"wow64":false,"ppid":1800}],["r",{"process_create_time":{"epoch":1329910139,"type_name":["*","UnixTimeStamp"],"id":52822,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 11:28:59+0000"},"handle_count":51,"thread_count":2,"session_id":1,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":52823,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":344,"Name":"conhost.exe","Creation_Time":{"epoch":1329910139,"type_name":["*","UnixTimeStamp"],"id":52851,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 11:28:59+0000"},"PID":2236,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Windows\\System32\\conhost.exe","type":"ProcessObj:ImageInfoType","Command_Line":"\\??\\C:\\Windows\\system32\\conhost.exe","Path":"C:\\Windows\\system32\\conhost.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427674073904,"id":47085},"wow64":false,"ppid":344}],["r",{"process_create_time":{"epoch":1329909975,"type_name":["*","UnixTimeStamp"],"id":52997,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 11:26:15+0000"},"handle_count":733,"thread_count":23,"session_id":1,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":52998,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":1892,"Name":"iexplore.exe","Creation_Time":{"epoch":1329909975,"type_name":["*","UnixTimeStamp"],"id":53026,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 11:26:15+0000"},"PID":2820,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Program Files (x86)\\Internet Explorer\\iexplore.exe","type":"ProcessObj:ImageInfoType","Command_Line":"\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" SCODEF:1892 CREDAT:71937","Path":"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427680358496,"id":47075},"wow64":true,"ppid":1892}],["r",{"process_create_time":{"epoch":1329910139,"type_name":["*","UnixTimeStamp"],"id":53172,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 11:28:59+0000"},"handle_count":42,"thread_count":2,"session_id":1,"process_exit_time":{"epoch":0,"type_name":["*","UnixTimeStamp"],"id":53173,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"-"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":1652,"Name":"DumpIt.exe","Creation_Time":{"epoch":1329910139,"type_name":["*","UnixTimeStamp"],"id":53201,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 11:28:59+0000"},"PID":2860,"Image_Info":{"File_Name":"\\Device\\HarddiskVolume2\\Users\\testing\\AppData\\Local\\Temp\\Temp1_DumpIt.zip\\DumpIt.exe","type":"ProcessObj:ImageInfoType","Command_Line":"\"C:\\Users\\testing\\AppData\\Local\\Temp\\Temp1_DumpIt.zip\\DumpIt.exe\" ","Path":"C:\\Users\\testing\\AppData\\Local\\Temp\\Temp1_DumpIt.zip\\DumpIt.exe"},"type":"ProcessObj:ProcessObjectType"},"offset":275427679625312,"id":47105},"wow64":true,"ppid":1652}],["r",{"process_create_time":{"epoch":1329909808,"type_name":["*","UnixTimeStamp"],"id":53346,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 11:23:28+0000"},"handle_count":null,"thread_count":0,"session_id":0,"process_exit_time":{"epoch":1329910263,"type_name":["*","UnixTimeStamp"],"id":53347,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 11:31:03+0000"},"_EPROCESS":{"name":"_EPROCESS","type_name":"_EPROCESS","vm":"AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)","mro":["_EPROCESS","Struct","BaseAddressComparisonMixIn","BaseObject","object"],"Cybox":{"Parent_PID":428,"Name":"svchost.exe","Creation_Time":{"epoch":1329909808,"type_name":["*","UnixTimeStamp"],"id":53373,"mro":["WinFileTime","UnixTimeStamp","NativeType","NumericProxyMixIn","BaseObject","object"],"string_value":"2012-02-22 11:23:28+0000"},"PID":2924,"Image_Info":{"File_Name":null,"type":"ProcessObj:ImageInfoType","Command_Line":null,"Path":null},"type":"ProcessObj:ProcessObjectType"},"offset":275427674293536,"id":47127},"wow64":false,"ppid":428}]]