{ "cells": [ { "cell_type": "code", "execution_count": null, "id": "initial_id", "metadata": { "collapsed": true }, "outputs": [], "source": [ "import requests\n", "import pandas as pd\n", "import json\n", "\n", "# Function to recursively normalize nested columns in a DataFrame\n", "def recursively_normalize(data):\n", " df = pd.json_normalize(data)\n", " while True:\n", " nested_cols = [col for col in df.columns if isinstance(df[col].iloc[0], (dict, list))]\n", " if not nested_cols:\n", " break\n", " for col in nested_cols:\n", " if isinstance(df[col].iloc[0], dict):\n", " normalized = pd.json_normalize(df[col])\n", " df = df.drop(columns=[col]).join(normalized)\n", " elif isinstance(df[col].iloc[0], list):\n", " df = df.explode(col)\n", " normalized = pd.json_normalize(df[col])\n", " df = df.drop(columns=[col]).join(normalized)\n", " return df\n", "\n", "# Function to fetch the next batch using the cursor\n", "def fetch_next_batch(cursor):\n", " response = requests.post(\n", " f\"{base_url}/_sql?format=json\",\n", " headers={\"Content-Type\": \"application/json\"},\n", " json={\"cursor\": cursor}\n", " ).json()\n", " return response\n", "\n", "# Elasticsearch base URL\n", "base_url = \"http://192.168.20.106:9200\"\n", "# Index name\n", "index = \"winlogbeat-*\"\n", "\n", "from datetime import datetime, timedelta\n", "\n", "# Calculate the current time and the time one hour ago\n", "current_time = datetime.utcnow()\n", "one_hour_ago = current_time - timedelta(hours=1)\n", "\n", "# Format times in ISO8601 format as expected by Elasticsearch\n", "current_time_iso = current_time.strftime('%Y-%m-%dT%H:%M:%SZ')\n", "one_hour_ago_iso = one_hour_ago.strftime('%Y-%m-%dT%H:%M:%SZ')\n", "\n", "# SQL query with time filter\n", "sql_query = f\"\"\"\n", "SELECT \"@timestamp\", host.hostname, host.ip, log.level, winlog.event_id, winlog.task, message\n", "FROM \"winlogbeat-7.10.0-2024.06.23-*\"\n", "WHERE host.hostname = 'win10'\n", "AND winlog.provider_name = 'Microsoft-Windows-Sysmon'\n", "AND \"@timestamp\" >= '{one_hour_ago_iso}'\n", "AND \"@timestamp\" <= '{current_time_iso}'\n", "\"\"\"\n", "\n", "# Initial search request to start scrolling\n", "initial_response = requests.post(\n", " f\"{base_url}/_sql?format=json\",\n", " headers={\"Content-Type\": \"application/json\"},\n", " json={\n", " \"query\": sql_query,\n", " \"field_multi_value_leniency\": True\n", " }\n", ").json()\n", "\n", "# Extract the cursor for scrolling\n", "cursor = initial_response.get('cursor')\n", "rows = initial_response.get('rows')\n", "columns = [col['name'] for col in initial_response['columns']]\n", "\n", "# Initialize CSV file (assumes the first batch is not empty)\n", "if rows:\n", " df = pd.DataFrame(rows, columns=columns)\n", " df = recursively_normalize(df.to_dict(orient='records'))\n", " df.to_csv(\"lab_logs_blindtest_activity.csv\", mode='w', index=False, header=True)\n", "\n", "# Track total documents retrieved\n", "total_documents_retrieved = len(rows)\n", "print(f\"Retrieved {total_documents_retrieved} documents.\")\n", "\n", "# Loop to fetch subsequent batches of documents until no more documents are left\n", "while cursor:\n", " # Fetch next batch of documents using cursor\n", " response = fetch_next_batch(cursor)\n", " \n", " # Update cursor for the next batch\n", " cursor = response.get('cursor')\n", " rows = response.get('rows')\n", " \n", " # If no rows, break out of the loop\n", " if not rows:\n", " break\n", " \n", " # Normalize data and append to CSV\n", " df = pd.DataFrame(rows, columns=columns)\n", " df = recursively_normalize(df.to_dict(orient='records'))\n", " \n", " # Append to CSV file without headers\n", " df.to_csv(\"lab_logs_blindtest_activity.csv\", mode='a', index=False, header=False)\n", " \n", " # Convert DataFrame to JSON, line by line\n", " json_lines = df.to_json(orient='records', lines=True).splitlines()\n", " # Append each line to an existing JSON file\n", " with open(\"lab_logs_blindtest_activity.json\", 'a') as file:\n", " for line in json_lines:\n", " file.write(line + '\\n') # Append each line and add a newline\n", " \n", " # Update total documents retrieved\n", " total_documents_retrieved += len(rows)\n", " \n", " print(f\"Retrieved {total_documents_retrieved} documents.\")\n", "\n", "print(\"Files have been written.\")\n" ] }, { "metadata": { "ExecuteTime": { "end_time": "2024-06-23T14:27:10.324996Z", "start_time": "2024-06-23T14:27:10.066377Z" } }, "cell_type": "code", "source": [ "import polars as pl\n", "\n", "# Define the path to your CSV file\n", "csv_file_path = 'lab_logs_blindtest_activity.csv'\n", "\n", "# Load the CSV file into a DataFrame\n", "df = pl.read_csv(csv_file_path)\n", "\n", "# Show the DataFrame to confirm it's loaded correctly\n", "print(df)\n" ], "id": "847862813f6a8c74", "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "shape: (1_027, 7)\n", "┌──────────────┬─────────────┬─────────────┬─────────────┬─────────────┬─────────────┬─────────────┐\n", "│ @timestamp ┆ host.hostna ┆ host.ip ┆ log.level ┆ winlog.even ┆ winlog.task ┆ message │\n", "│ --- ┆ me ┆ --- ┆ --- ┆ t_id ┆ --- ┆ --- │\n", "│ str ┆ --- ┆ str ┆ str ┆ --- ┆ str ┆ str │\n", "│ ┆ str ┆ ┆ ┆ i64 ┆ ┆ │\n", "╞══════════════╪═════════════╪═════════════╪═════════════╪═════════════╪═════════════╪═════════════╡\n", "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 10 ┆ Process ┆ Process │\n", "│ 7:42:03.814Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ accessed ┆ accessed: │\n", "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n", "│ ┆ ┆ ┆ ┆ ┆ Proces… ┆ … │\n", "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 10 ┆ Process ┆ Process │\n", "│ 7:42:03.814Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ accessed ┆ accessed: │\n", "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n", "│ ┆ ┆ ┆ ┆ ┆ Proces… ┆ … │\n", "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 1 ┆ Process ┆ Process │\n", "│ 7:42:03.820Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ Create ┆ Create: │\n", "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n", "│ ┆ ┆ ┆ ┆ ┆ ProcessC… ┆ Ut… │\n", "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 13 ┆ Registry ┆ Registry │\n", "│ 7:42:03.846Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ value set ┆ value set: │\n", "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: … │\n", "│ ┆ ┆ ┆ ┆ ┆ Regi… ┆ │\n", "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 1 ┆ Process ┆ Process │\n", "│ 7:42:03.864Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ Create ┆ Create: │\n", "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n", "│ ┆ ┆ ┆ ┆ ┆ ProcessC… ┆ Ut… │\n", "│ … ┆ … ┆ … ┆ … ┆ … ┆ … ┆ … │\n", "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 1 ┆ Process ┆ Process │\n", "│ 8:35:53.050Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ Create ┆ Create: │\n", "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n", "│ ┆ ┆ ┆ ┆ ┆ ProcessC… ┆ Ut… │\n", "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 10 ┆ Process ┆ Process │\n", "│ 8:35:53.125Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ accessed ┆ accessed: │\n", "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n", "│ ┆ ┆ ┆ ┆ ┆ Proces… ┆ … │\n", "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 1 ┆ Process ┆ Process │\n", "│ 8:35:56.448Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ Create ┆ Create: │\n", "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n", "│ ┆ ┆ ┆ ┆ ┆ ProcessC… ┆ Ut… │\n", "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 22 ┆ Dns query ┆ Dns query: │\n", "│ 8:37:46.518Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ (rule: ┆ RuleName: - │\n", "│ ┆ ┆ 30 ┆ ┆ ┆ DnsQuery) ┆ UtcTime… │\n", "│ 2024-06-23T0 ┆ win10 ┆ fe80::965b: ┆ information ┆ 1 ┆ Process ┆ Process │\n", "│ 8:37:54.182Z ┆ ┆ 5bf2:7f22:d ┆ ┆ ┆ Create ┆ Create: │\n", "│ ┆ ┆ 30 ┆ ┆ ┆ (rule: ┆ RuleName: - │\n", "│ ┆ ┆ ┆ ┆ ┆ ProcessC… ┆ Ut… │\n", "└──────────────┴─────────────┴─────────────┴─────────────┴─────────────┴─────────────┴─────────────┘\n" ] } ], "execution_count": 2 }, { "metadata": { "ExecuteTime": { "end_time": "2024-06-23T14:27:15.761561Z", "start_time": "2024-06-23T14:27:15.718703Z" } }, "cell_type": "code", "source": [ "import polars as pl\n", "\n", "def remove_keyword_lines(batch, keywords):\n", " def modify_line(line):\n", " # Check each keyword; filter the line if the keyword is at the start followed by a colon\n", " for keyword in keywords:\n", " if line.startswith(f\"{keyword}:\"):\n", " # Special handling for 'User' keyword\n", " if keyword == 'User':\n", " parts = line.split('\\\\')\n", " if len(parts) > 1:\n", " return f\"User: {parts[1]}\" # Only keep the part after the backslash\n", " elif keyword == 'SourceHostname':\n", " parts = line.split('.')\n", " if len(parts) > 0:\n", " return f\"{keyword}: {parts[0].split(': ')[1]}\" # Only keep the part before the first dot, remove keyword duplication\n", " return None # For other keywords, remove the line altogether\n", " return line # Return the line unchanged if no keyword conditions are met\n", "\n", " # Use map_elements to apply a function to each message in the batch\n", " return batch.map_elements(lambda message: '\\n'.join(\n", " filter(None, (modify_line(line) for line in message.split('\\n')))), \n", " return_dtype=pl.Utf8)\n", "\n", "\n", "\n", "\n", "# Define a list of keywords to filter out\n", "keywords_to_filter = [\"UtcTime\", \"SourceProcessGUID\",\"ProcessGuid\", \"TargetProcessGUID\", \"TargetObject\", \"FileVersion\", \"Hashes\", \"LogonGuid\", \"LogonId\", \"CreationUtcTime\", \"User\", \"ParentProcessGuid\", \"SourceHostname\"]\n", "\n", "\n", "# Load your DataFrame (assuming 'df' is already loaded)\n", "# Apply the transformation to the 'message' column using map_batches\n", "df_f = df.with_columns(\n", " pl.col(\"message\").map_batches(lambda batch: remove_keyword_lines(batch, keywords_to_filter), return_dtype=pl.Utf8).alias(\"filtered_message\")\n", ")\n", "\n", "# Assuming df_f is your DataFrame with the 'filtered_message' column\n", "# Fetch the first three rows from the 'filtered_message' column\n", "first_messages = df_f[\"filtered_message\"].head(200)\n", "\n", "# Print each message completely\n", "for i, message in enumerate(first_messages):\n", " print(f\"Message {i+1}:\")\n", " print(message)\n", " print(\"-\" * 50) # Separator for readability\n" ], "id": "fc93fe038bcb00c5", "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Message 1:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1132\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 2:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1132\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 3:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 5196\n", "Image: C:\\Windows\\servicing\\TrustedInstaller.exe\n", "Description: Windows Modules Installer\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: TrustedInstaller.exe\n", "CommandLine: C:\\Windows\\servicing\\TrustedInstaller.exe\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 824\n", "ParentImage: C:\\Windows\\System32\\services.exe\n", "ParentCommandLine: C:\\Windows\\system32\\services.exe\n", "--------------------------------------------------\n", "Message 4:\n", "Registry value set:\n", "RuleName: Tamper-Winlogon\n", "EventType: SetValue\n", "ProcessId: 5196\n", "Image: C:\\Windows\\servicing\\TrustedInstaller.exe\n", "Details: CreateSession\n", "--------------------------------------------------\n", "Message 5:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 6140\n", "Image: C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2664_none_7dfa24947c9c0a36\\TiWorker.exe\n", "Description: Windows Modules Installer Worker\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: TiWorker.exe\n", "CommandLine: C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.2664_none_7dfa24947c9c0a36\\TiWorker.exe -Embedding\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 1000\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p\n", "--------------------------------------------------\n", "Message 6:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 2036\n", "Image: C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe\n", "Description: Microsoft Edge Update\n", "Product: Microsoft Edge Update\n", "Company: Microsoft Corporation\n", "OriginalFileName: msedgeupdate.dll\n", "CommandLine: \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe\" /c\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 7:\n", "Dns query:\n", "RuleName: -\n", "ProcessId: 3508\n", "QueryName: ncc.avast.com\n", "QueryStatus: 0\n", "QueryResults: type: 5 ncc.avast.com.edgesuite.net;type: 5 a1488.dscd.akamai.net;::ffff:23.72.36.187;::ffff:23.72.36.112;\n", "Image: C:\\Program Files\\Avast Software\\Avast\\aswToolsSvc.exe\n", "--------------------------------------------------\n", "Message 8:\n", "Dns query:\n", "RuleName: -\n", "ProcessId: 4592\n", "QueryName: ecs.office.com\n", "QueryStatus: 0\n", "QueryResults: type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;\n", "Image: C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe\n", "--------------------------------------------------\n", "Message 9:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 4492\n", "Image: C:\\Windows\\System32\\taskhostw.exe\n", "Description: Host Process for Windows Tasks\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: taskhostw.exe\n", "CommandLine: taskhostw.exe\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 10:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 2788\n", "Image: C:\\Windows\\System32\\WinBioPlugIns\\FaceFodUninstaller.exe\n", "Description: -\n", "Product: -\n", "Company: -\n", "OriginalFileName: -\n", "CommandLine: \"C:\\Windows\\System32\\WinBioPlugIns\\FaceFodUninstaller.exe\"\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 11:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 6472\n", "Image: C:\\Windows\\System32\\lpremove.exe\n", "Description: MUI Language pack cleanup\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: lpremove.exe\n", "CommandLine: \"C:\\Windows\\system32\\lpremove.exe\"\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 12:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 6104\n", "Image: C:\\Windows\\System32\\UsoClient.exe\n", "Description: UsoClient\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: UsoClient\n", "CommandLine: \"C:\\Windows\\system32\\usoclient.exe\" ReportPolicies\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 13:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1132\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 14:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1132\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 15:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1096\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 16:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1096\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 17:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 4324\n", "Image: C:\\Windows\\System32\\sc.exe\n", "Description: Service Control Manager Configuration Tool\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: sc.exe\n", "CommandLine: \"C:\\Windows\\system32\\sc.exe\" start w32time task_started\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: LOCAL SERVICE\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 18:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1132\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 19:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1132\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 20:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1096\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 21:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1096\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 22:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 5828\n", "Image: C:\\Windows\\System32\\taskhostw.exe\n", "Description: Host Process for Windows Tasks\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: taskhostw.exe\n", "CommandLine: taskhostw.exe\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: LOCAL SERVICE\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 23:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 4996\n", "Image: C:\\Windows\\System32\\rundll32.exe\n", "Description: Windows host process (Rundll32)\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: RUNDLL32.EXE\n", "CommandLine: \"C:\\Windows\\system32\\rundll32.exe\" C:\\Windows\\system32\\Windows.StateRepositoryClient.dll,StateRepositoryDoMaintenanceTasks\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 24:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 5376\n", "Image: C:\\Windows\\System32\\Defrag.exe\n", "Description: Disk Defragmenter Module\n", "Product: Windows Drive Optimizer\n", "Company: Microsoft Corp.\n", "OriginalFileName: Defrag.EXE\n", "CommandLine: \"C:\\Windows\\system32\\defrag.exe\" -c -h -o -$\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 25:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 4240\n", "Image: C:\\Windows\\System32\\dmclient.exe\n", "Description: Microsoft Feedback SIUF Deployment Manager Client\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: dmclient.exe\n", "CommandLine: \"C:\\Windows\\system32\\dmclient.exe\"\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 26:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1096\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 27:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1096\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 28:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 4980\n", "Image: C:\\Windows\\System32\\tzsync.exe\n", "Description: TimeZone Sync Task\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: tzsync.exe\n", "CommandLine: \"C:\\Windows\\system32\\tzsync.exe\"\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 29:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 1528\n", "Image: C:\\Windows\\System32\\DiskSnapshot.exe\n", "Description: DiskSnapshot.exe\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: DiskSnapshot.exe\n", "CommandLine: \"C:\\Windows\\system32\\disksnapshot.exe\" -z\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 30:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 2384\n", "Image: C:\\Windows\\System32\\rundll32.exe\n", "Description: Windows host process (Rundll32)\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: RUNDLL32.EXE\n", "CommandLine: \"C:\\Windows\\system32\\rundll32.exe\" Windows.Storage.ApplicationData.dll,CleanupTemporaryState\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 31:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 5156\n", "Image: C:\\Windows\\System32\\dstokenclean.exe\n", "Description: Data Sharing Service Maintenance Driver\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: dstokenclean.exe\n", "CommandLine: \"C:\\Windows\\system32\\dstokenclean.exe\"\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 32:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1132\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 33:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1132\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 34:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 5632\n", "Image: C:\\Windows\\System32\\svchost.exe\n", "Description: Host Process for Windows Services\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: svchost.exe\n", "CommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s wisvc\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 824\n", "ParentImage: C:\\Windows\\System32\\services.exe\n", "ParentCommandLine: C:\\Windows\\system32\\services.exe\n", "--------------------------------------------------\n", "Message 35:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 2388\n", "Image: C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ngentask.exe\n", "Description: Microsoft .NET Framework optimization service\n", "Product: Microsoft® .NET Framework\n", "Company: Microsoft Corporation\n", "OriginalFileName: NGenTask.exe\n", "CommandLine: \"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\NGenTask.exe\" /RuntimeWide /StopEvent:480\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 4492\n", "ParentImage: C:\\Windows\\System32\\taskhostw.exe\n", "ParentCommandLine: taskhostw.exe\n", "--------------------------------------------------\n", "Message 36:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 6460\n", "Image: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe\n", "Description: Microsoft .NET Framework optimization service\n", "Product: Microsoft® .NET Framework\n", "Company: Microsoft Corporation\n", "OriginalFileName: NGenTask.exe\n", "CommandLine: \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\NGenTask.exe\" /RuntimeWide /StopEvent:1132\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 4492\n", "ParentImage: C:\\Windows\\System32\\taskhostw.exe\n", "ParentCommandLine: taskhostw.exe\n", "--------------------------------------------------\n", "Message 37:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1096\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 38:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1096\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 39:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 4292\n", "Image: C:\\Windows\\System32\\svchost.exe\n", "Description: Host Process for Windows Services\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: svchost.exe\n", "CommandLine: C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 824\n", "ParentImage: C:\\Windows\\System32\\services.exe\n", "ParentCommandLine: C:\\Windows\\system32\\services.exe\n", "--------------------------------------------------\n", "Message 40:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1096\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 41:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1096\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 42:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1096\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 43:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1096\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 44:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1096\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 45:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1096\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 46:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1096\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 47:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1096\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 48:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 4196\n", "Image: C:\\Windows\\System32\\Speech_OneCore\\common\\SpeechModelDownload.exe\n", "Description: Speech Model Download Executable\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: SpeechModelDownload.exe\n", "CommandLine: \"C:\\Windows\\system32\\speech_onecore\\common\\SpeechModelDownload.exe\"\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: NETWORK SERVICE\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 49:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 5472\n", "Image: C:\\Windows\\System32\\taskhostw.exe\n", "Description: Host Process for Windows Tasks\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: taskhostw.exe\n", "CommandLine: taskhostw.exe -IntegrityCheck\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 50:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 3320\n", "Image: C:\\Windows\\System32\\rundll32.exe\n", "Description: Windows host process (Rundll32)\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: RUNDLL32.EXE\n", "CommandLine: \"C:\\Windows\\system32\\rundll32.exe\" sysmain.dll,PfSvWsSwapAssessmentTask\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 51:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1132\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 52:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1132\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 53:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1132\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 54:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1132\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 55:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1132\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 56:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1132\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 57:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 1184\n", "Image: C:\\Windows\\System32\\WinSAT.exe\n", "Description: Windows System Assessment Tool\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: WinSAT.exe\n", "CommandLine: \"C:\\Windows\\system32\\winsat.exe\" disk -wsswap\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 3320\n", "ParentImage: C:\\Windows\\System32\\rundll32.exe\n", "ParentCommandLine: \"C:\\Windows\\system32\\rundll32.exe\" sysmain.dll,PfSvWsSwapAssessmentTask\n", "--------------------------------------------------\n", "Message 58:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 3720\n", "Image: C:\\Windows\\System32\\Defrag.exe\n", "Description: Disk Defragmenter Module\n", "Product: Windows Drive Optimizer\n", "Company: Microsoft Corp.\n", "OriginalFileName: Defrag.EXE\n", "CommandLine: \"C:\\Windows\\system32\\defrag.exe\" -p 8a4 -s 0000000000000160 -b -OnlyPreferred C:\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2212\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain\n", "--------------------------------------------------\n", "Message 59:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1132\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+11918|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 60:\n", "Process accessed:\n", "RuleName: -\n", "SourceProcessId: 1072\n", "SourceThreadId: 1132\n", "SourceImage: C:\\Windows\\system32\\svchost.exe\n", "TargetProcessId: 872\n", "TargetImage: C:\\Windows\\system32\\lsass.exe\n", "GrantedAccess: 0x1000\n", "CallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d584|C:\\Windows\\System32\\KERNELBASE.dll+69f06|c:\\windows\\system32\\lsm.dll+e7f8|c:\\windows\\system32\\lsm.dll+dc6b|c:\\windows\\system32\\lsm.dll+11a1e|C:\\Windows\\System32\\RPCRT4.dll+799e3|C:\\Windows\\System32\\RPCRT4.dll+dd77b|C:\\Windows\\System32\\RPCRT4.dll+5ce8c|C:\\Windows\\System32\\RPCRT4.dll+59ee8|C:\\Windows\\System32\\RPCRT4.dll+39fa6|C:\\Windows\\System32\\RPCRT4.dll+398f8|C:\\Windows\\System32\\RPCRT4.dll+4766f|C:\\Windows\\System32\\RPCRT4.dll+46a78|C:\\Windows\\System32\\RPCRT4.dll+46061|C:\\Windows\\System32\\RPCRT4.dll+45ace|C:\\Windows\\System32\\RPCRT4.dll+4a1a2|C:\\Windows\\SYSTEM32\\ntdll.dll+20330|C:\\Windows\\SYSTEM32\\ntdll.dll+52f76|C:\\Windows\\System32\\KERNEL32.DLL+17614|C:\\Windows\\SYSTEM32\\ntdll.dll+526a1\n", "--------------------------------------------------\n", "Message 61:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\users\\student_ladm\\appdata\\local\\microsoft\\teams\\previous\\squirrel.exe\n", "--------------------------------------------------\n", "Message 62:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 63:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 08/28/2020 18:31:14\n", "--------------------------------------------------\n", "Message 64:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 1.10.54.0\n", "--------------------------------------------------\n", "Message 65:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\users\\student_ladm\\appdata\\local\\microsoft\\teams\\stage\\squirrel.exe\n", "--------------------------------------------------\n", "Message 66:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 67:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 08/15/2022 18:11:47\n", "--------------------------------------------------\n", "Message 68:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 3.3.0.0\n", "--------------------------------------------------\n", "Message 69:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\users\\student_ladm\\appdata\\local\\microsoft\\teams\\current\\squirrel.exe\n", "--------------------------------------------------\n", "Message 70:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 71:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 02/03/2022 01:00:13\n", "--------------------------------------------------\n", "Message 72:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 3.0.1.0\n", "--------------------------------------------------\n", "Message 73:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\users\\ansible\\appdata\\local\\microsoft\\teams\\current\\teams.exe\n", "--------------------------------------------------\n", "Message 74:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 75:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 04/21/2020 14:21:06\n", "--------------------------------------------------\n", "Message 76:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 1.3.0.28779\n", "--------------------------------------------------\n", "Message 77:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\users\\ansible\\appdata\\local\\microsoft\\teams\\update.exe\n", "--------------------------------------------------\n", "Message 78:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 79:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 08/28/2020 18:31:14\n", "--------------------------------------------------\n", "Message 80:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 1.10.54.0\n", "--------------------------------------------------\n", "Message 81:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: Microsoft Corporation\n", "--------------------------------------------------\n", "Message 82:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\cookie_exporter.exe\n", "--------------------------------------------------\n", "Message 83:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 84:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 85:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 86:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\elevation_service.exe\n", "--------------------------------------------------\n", "Message 87:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 88:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 89:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 90:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\identity_helper.exe\n", "--------------------------------------------------\n", "Message 91:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 92:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 93:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 94:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\bho\\ie_to_edge_stub.exe\n", "--------------------------------------------------\n", "Message 95:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 96:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 97:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 98:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\msedge.exe\n", "--------------------------------------------------\n", "Message 99:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 100:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 101:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 102:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\msedgewebview2.exe\n", "--------------------------------------------------\n", "Message 103:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 104:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 105:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 106:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\msedge_proxy.exe\n", "--------------------------------------------------\n", "Message 107:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 108:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 109:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 110:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\msedge_pwa_launcher.exe\n", "--------------------------------------------------\n", "Message 111:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 112:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 113:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 114:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\notification_helper.exe\n", "--------------------------------------------------\n", "Message 115:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 116:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 117:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 118:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\pwahelper.exe\n", "--------------------------------------------------\n", "Message 119:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 120:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 121:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 122:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edgewebview\\application\\126.0.2592.68\\installer\\setup.exe\n", "--------------------------------------------------\n", "Message 123:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 124:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 125:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 126:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: Microsoft Corporation\n", "--------------------------------------------------\n", "Message 127:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\users\\ansible\\appdata\\local\\microsoft\\teams\\current\\squirrel.exe\n", "--------------------------------------------------\n", "Message 128:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 129:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 08/28/2020 18:31:14\n", "--------------------------------------------------\n", "Message 130:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 1.10.54.0\n", "--------------------------------------------------\n", "Message 131:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\cookie_exporter.exe\n", "--------------------------------------------------\n", "Message 132:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 133:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 134:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 135:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\elevation_service.exe\n", "--------------------------------------------------\n", "Message 136:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 137:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 138:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 139:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\identity_helper.exe\n", "--------------------------------------------------\n", "Message 140:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 141:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 142:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 143:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\bho\\ie_to_edge_stub.exe\n", "--------------------------------------------------\n", "Message 144:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 145:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 146:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 147:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\msedge.exe\n", "--------------------------------------------------\n", "Message 148:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 149:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 150:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 151:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\msedgewebview2.exe\n", "--------------------------------------------------\n", "Message 152:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 153:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 154:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 155:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\msedge_proxy.exe\n", "--------------------------------------------------\n", "Message 156:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 157:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 158:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 159:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\msedge_pwa_launcher.exe\n", "--------------------------------------------------\n", "Message 160:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 161:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 162:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 163:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\notification_click_helper.exe\n", "--------------------------------------------------\n", "Message 164:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 165:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 166:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 167:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\notification_helper.exe\n", "--------------------------------------------------\n", "Message 168:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 169:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 170:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 171:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\pwahelper.exe\n", "--------------------------------------------------\n", "Message 172:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 173:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 174:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 175:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\program files (x86)\\microsoft\\edge\\application\\126.0.2592.68\\installer\\setup.exe\n", "--------------------------------------------------\n", "Message 176:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 177:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 06/19/2024 23:34:22\n", "--------------------------------------------------\n", "Message 178:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 126.0.2592.68\n", "--------------------------------------------------\n", "Message 179:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: Microsoft Corporation\n", "--------------------------------------------------\n", "Message 180:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\users\\ansible\\appdata\\local\\microsoft\\onedrive\\21.220.1024.0005\\onedrivesetup.exe\n", "--------------------------------------------------\n", "Message 181:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 182:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 04/29/2042 07:55:35\n", "--------------------------------------------------\n", "Message 183:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 21.220.1024.5\n", "--------------------------------------------------\n", "Message 184:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\users\\ansible\\appdata\\local\\microsoft\\onedrive\\21.220.1024.0005\\onedriveupdaterservice.exe\n", "--------------------------------------------------\n", "Message 185:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 186:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 01/30/2009 20:46:00\n", "--------------------------------------------------\n", "Message 187:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 21.220.1024.5\n", "--------------------------------------------------\n", "Message 188:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: Microsoft Corporation\n", "--------------------------------------------------\n", "Message 189:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 5488\n", "Image: C:\\Windows\\System32\\taskhostw.exe\n", "Description: Host Process for Windows Tasks\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: taskhostw.exe\n", "CommandLine: taskhostw.exe\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 190:\n", "Process Create:\n", "RuleName: -\n", "ProcessId: 4728\n", "Image: C:\\Windows\\System32\\SrTasks.exe\n", "Description: Microsoft® Windows System Protection background tasks.\n", "Product: Microsoft® Windows® Operating System\n", "Company: Microsoft Corporation\n", "OriginalFileName: srtasks.exe\n", "CommandLine: \"C:\\Windows\\system32\\srtasks.exe\" ExecuteScheduledSPPCreation\n", "CurrentDirectory: C:\\Windows\\system32\\\n", "User: SYSTEM\n", "TerminalSessionId: 0\n", "IntegrityLevel: System\n", "ParentProcessId: 2024\n", "ParentImage: C:\\Windows\\System32\\svchost.exe\n", "ParentCommandLine: C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule\n", "--------------------------------------------------\n", "Message 191:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\users\\ansible\\appdata\\local\\microsoft\\onedrive\\21.220.1024.0005\\filecoauth.exe\n", "--------------------------------------------------\n", "Message 192:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 193:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 09/04/1976 00:39:52\n", "--------------------------------------------------\n", "Message 194:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 21.220.1024.5\n", "--------------------------------------------------\n", "Message 195:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\users\\ansible\\appdata\\local\\microsoft\\onedrive\\21.220.1024.0005\\filesyncconfig.exe\n", "--------------------------------------------------\n", "Message 196:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n", "Message 197:\n", "Registry value set:\n", "RuleName: InvDB-CompileTimeClaim\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 02/11/2005 13:45:08\n", "--------------------------------------------------\n", "Message 198:\n", "Registry value set:\n", "RuleName: InvDB-Ver\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: 21.220.1024.5\n", "--------------------------------------------------\n", "Message 199:\n", "Registry value set:\n", "RuleName: InvDB-Path\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: c:\\users\\ansible\\appdata\\local\\microsoft\\onedrive\\21.220.1024.0005\\filesynchelper.exe\n", "--------------------------------------------------\n", "Message 200:\n", "Registry value set:\n", "RuleName: InvDB-Pub\n", "EventType: SetValue\n", "ProcessId: 2156\n", "Image: C:\\Windows\\system32\\CompatTelRunner.exe\n", "Details: microsoft corporation\n", "--------------------------------------------------\n" ] } ], "execution_count": 3 }, { "metadata": { "ExecuteTime": { "end_time": "2024-06-23T14:27:52.793229Z", "start_time": "2024-06-23T14:27:52.788792Z" } }, "cell_type": "code", "source": [ "# Assuming df_f is your modified DataFrame with all necessary columns including 'filtered_message'\n", "# Select specific columns from the DataFrame\n", "selected_columns_df = df_f.select([\"log.level\", \"winlog.event_id\", \"winlog.task\",\"filtered_message\"])\n", "\n", "# Write the selected columns to a CSV file\n", "selected_columns_df.write_csv('lab_logs_blindtest_activity_filtered.csv')\n" ], "id": "ff54936e81a933fd", "outputs": [], "execution_count": 5 }, { "metadata": { "ExecuteTime": { "end_time": "2024-06-23T14:27:53.905616Z", "start_time": "2024-06-23T14:27:53.898061Z" } }, "cell_type": "code", "source": "selected_columns_df.head(5)", "id": "da3c38ca8c474ba", "outputs": [ { "data": { "text/plain": [ "shape: (5, 4)\n", "┌─────────────┬─────────────────┬─────────────────────────────────┬─────────────────────┐\n", "│ log.level ┆ winlog.event_id ┆ winlog.task ┆ filtered_message │\n", "│ --- ┆ --- ┆ --- ┆ --- │\n", "│ str ┆ i64 ┆ str ┆ str │\n", "╞═════════════╪═════════════════╪═════════════════════════════════╪═════════════════════╡\n", "│ information ┆ 10 ┆ Process accessed (rule: Proces… ┆ Process accessed: │\n", "│ ┆ ┆ ┆ RuleName: - │\n", "│ ┆ ┆ ┆ … │\n", "│ information ┆ 10 ┆ Process accessed (rule: Proces… ┆ Process accessed: │\n", "│ ┆ ┆ ┆ RuleName: - │\n", "│ ┆ ┆ ┆ … │\n", "│ information ┆ 1 ┆ Process Create (rule: ProcessC… ┆ Process Create: │\n", "│ ┆ ┆ ┆ RuleName: - │\n", "│ ┆ ┆ ┆ Pr… │\n", "│ information ┆ 13 ┆ Registry value set (rule: Regi… ┆ Registry value set: │\n", "│ ┆ ┆ ┆ RuleName: … │\n", "│ information ┆ 1 ┆ Process Create (rule: ProcessC… ┆ Process Create: │\n", "│ ┆ ┆ ┆ RuleName: - │\n", "│ ┆ ┆ ┆ Pr… │\n", "└─────────────┴─────────────────┴─────────────────────────────────┴─────────────────────┘" ], "text/html": [ "
log.level | winlog.event_id | winlog.task | filtered_message |
---|---|---|---|
str | i64 | str | str |
"information" | 10 | "Process accessed (rule: Proces… | "Process accessed:\n", "RuleName: -\n", "… |
"information" | 10 | "Process accessed (rule: Proces… | "Process accessed:\n", "RuleName: -\n", "… |
"information" | 1 | "Process Create (rule: ProcessC… | "Process Create:\n", "RuleName: -\n", "Pr… |
"information" | 13 | "Registry value set (rule: Regi… | "Registry value set:\n", "RuleName: … |
"information" | 1 | "Process Create (rule: ProcessC… | "Process Create:\n", "RuleName: -\n", "Pr… |