{"ProcessCreateFlags":"524288","IntegrityLevel":"12288","ParentProcessId":"5506786702","SourceProcessId":"5506786702","aip":"3.67.206.136","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-3824454219-2061895207-2124001881-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"a47c166c77cc86ec0718ce8ba8e2168c8c844c04","ParentBaseFileName":"cmd.exe","ImageSubsystem":"3","id":"788cfc71-0803-11ed-bab0-06faf2a58edd","EffectiveTransmissionClass":"3","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 12094627905582, 12094627906234, 237494511599633","timestamp":"1658304651878","event_simpleName":"ProcessRollup2","RawProcessId":"1056","ConfigStateHash":"201284138","MD5HashData":"59a22fa6cf85026bb6bc69a1add75c50","SHA256HashData":"9e28034ce3aeea6951f790f8997df44cfbf80beff9fb17413dba317016a716ad","ProcessSxsFlags":"64","AuthenticationId":"4567222","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015316.1","CommandLine":"reg  save HKLM\\security C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\security","ParentAuthenticationId":"4567222","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"5510631230","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\reg.exe","SourceThreadId":"18099457888","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x626ca997|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe+0xf1e1:0x59000:0x57899a99|4+0x11a37|4+0xcb0d|4+0xc295|4+0xc347|4+0xc347|4+0xf916|4+0x1510d|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658304651.559","CreateProcessType":"3","ProcessParameterFlags":"24577","aid":"5901cc28910349b3971e8f3edc7341e9","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"524288","IntegrityLevel":"12288","ParentProcessId":"5506786702","SourceProcessId":"5506786702","aip":"3.67.206.136","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-3824454219-2061895207-2124001881-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"a47c166c77cc86ec0718ce8ba8e2168c8c844c04","ParentBaseFileName":"cmd.exe","ImageSubsystem":"3","id":"788cd20e-0803-11ed-bab0-06faf2a58edd","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 180388736840, 12094627905582, 12094627906234, 237494511599633","timestamp":"1658304651877","event_simpleName":"ProcessRollup2","RawProcessId":"2408","ConfigStateHash":"201284138","MD5HashData":"59a22fa6cf85026bb6bc69a1add75c50","SHA256HashData":"9e28034ce3aeea6951f790f8997df44cfbf80beff9fb17413dba317016a716ad","ProcessSxsFlags":"64","AuthenticationId":"4567222","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015316.1","CommandLine":"reg  save HKLM\\system C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\system ","ParentAuthenticationId":"4567222","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"5510188448","TreeId":"4303745436","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\reg.exe","SourceThreadId":"18099457888","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x626ca997|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe+0xf1e1:0x59000:0x57899a99|4+0x11a37|4+0xcb0d|4+0xc295|4+0x8564|4+0xc347|4+0xc347|4+0xf916|4+0x1510d|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658304651.306","CreateProcessType":"3","ProcessParameterFlags":"24577","aid":"5901cc28910349b3971e8f3edc7341e9","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"524288","IntegrityLevel":"12288","ParentProcessId":"5506786702","SourceProcessId":"5506786702","aip":"3.67.206.136","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-3824454219-2061895207-2124001881-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","ParentBaseFileName":"cmd.exe","ImageSubsystem":"3","id":"788bd261-0803-11ed-bab0-06faf2a58edd","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 151, 862, 874, 924, 180388736840, 12094627905582, 12094627906234, 237494511599633","timestamp":"1658304651870","event_simpleName":"ProcessRollup2","RawProcessId":"4824","ConfigStateHash":"201284138","MD5HashData":"59a22fa6cf85026bb6bc69a1add75c50","SHA256HashData":"9e28034ce3aeea6951f790f8997df44cfbf80beff9fb17413dba317016a716ad","ProcessSxsFlags":"64","AuthenticationId":"4567222","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015316.1","CommandLine":"reg  save HKLM\\sam C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\sam ","ParentAuthenticationId":"4567222","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"5509037820","TreeId":"4302601458","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\reg.exe","SourceThreadId":"18099457888","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x626ca997|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe+0xf1e1:0x59000:0x57899a99|4+0x11a37|4+0xcb0d|4+0xc295|4+0x8564|4+0xc347|4+0xf916|4+0x1510d|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658304651.107","CreateProcessType":"3","ProcessParameterFlags":"24577","aid":"5901cc28910349b3971e8f3edc7341e9","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"WindowTitle":"C:\\Windows\\SYSTEM32\\cmd.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"5501646824","SourceProcessId":"5501646824","aip":"3.67.206.136","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-3824454219-2061895207-2124001881-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"02ed035322124a05caf85b4a98e946b252f15aac","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"7823cad7-0803-11ed-bab0-06faf2a58edd","EffectiveTransmissionClass":"3","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 12094627905582, 12094627906234, 263882790666253","timestamp":"1658304651188","event_simpleName":"ProcessRollup2","RawProcessId":"3476","ConfigStateHash":"201284138","MD5HashData":"f4f684066175b77e0c3a000549d2922c","SHA256HashData":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2","ProcessSxsFlags":"64","AuthenticationId":"4567222","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015316.1","WindowFlags":"256","CommandLine":"\"cmd.exe\" /c \"reg save HKLM\\sam %temp%\\sam \u0026 reg save HKLM\\system %temp%\\system \u0026 reg save HKLM\\security %temp%\\security\"","ParentAuthenticationId":"4567222","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"5506786702","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe","SourceThreadId":"18060227684","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x626ca997|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:1:RWX-:UNKNOWN::0x7ffba0917000]+0x7ffba0917025","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658304650.998","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"5901cc28910349b3971e8f3edc7341e9","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}