{"ProcessCreateFlags":"524288","IntegrityLevel":"12288","ParentProcessId":"4467531420","SourceProcessId":"4467531420","aip":"3.121.25.25","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-481924243-2636130098-2814363461-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"52bf5c4e3db3c34f21ad9705766a9ade4d20a168","ParentBaseFileName":"cmd.exe","ImageSubsystem":"3","id":"93af018e-0cb2-11ed-bc48-02e78c741df1","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 12094627905582, 12094627906234, 237494511599633","timestamp":"1658819663978","event_simpleName":"ProcessRollup2","RawProcessId":"460","ConfigStateHash":"476917656","MD5HashData":"f548717b821860c2b2242367732fe105","SHA256HashData":"e1057a20945bce8f00c0be5e3db40c4a98ab33f42f4d2df919aedb0ef6651d6e","ProcessSxsFlags":"64","AuthenticationId":"2106739","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015316.1","CommandLine":"bitsadmin.exe  /complete AtomicBITS","ParentAuthenticationId":"2106739","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"4474899496","TreeId":"4297307660","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\bitsadmin.exe","SourceThreadId":"6571504780","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe+0xf1e1:0x59000:0x57899a99|4+0x11a37|4+0xcb0d|4+0xc295|4+0xc347|4+0xc347|4+0xc347|4+0xc347|4+0xc347|4+0xf916|4+0x1510d|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658819663.239","CreateProcessType":"3","ProcessParameterFlags":"24577","aid":"e18a0ddec75a45828056bc5358f23e36","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"524288","IntegrityLevel":"12288","ParentProcessId":"4467531420","SourceProcessId":"4467531420","aip":"3.121.25.25","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-481924243-2636130098-2814363461-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"52bf5c4e3db3c34f21ad9705766a9ade4d20a168","ParentBaseFileName":"cmd.exe","ImageSubsystem":"3","id":"90e52a36-0cb2-11ed-bc48-02e78c741df1","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 12094627905582, 12094627906234, 237494511599633","timestamp":"1658819659300","event_simpleName":"ProcessRollup2","RawProcessId":"3972","ConfigStateHash":"476917656","MD5HashData":"f548717b821860c2b2242367732fe105","SHA256HashData":"e1057a20945bce8f00c0be5e3db40c4a98ab33f42f4d2df919aedb0ef6651d6e","ProcessSxsFlags":"64","AuthenticationId":"2106739","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015316.1","CommandLine":"bitsadmin.exe  /resume AtomicBITS ","ParentAuthenticationId":"2106739","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"4472682726","TreeId":"4297307660","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\bitsadmin.exe","SourceThreadId":"6571504780","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe+0xf1e1:0x59000:0x57899a99|4+0x11a37|4+0xcb0d|4+0xc295|4+0x8564|4+0xc347|4+0xc347|4+0xc347|4+0xc347|4+0xf916|4+0x1510d|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658819658.916","CreateProcessType":"3","ProcessParameterFlags":"24577","aid":"e18a0ddec75a45828056bc5358f23e36","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"524288","IntegrityLevel":"12288","ParentProcessId":"4467531420","SourceProcessId":"4467531420","aip":"3.121.25.25","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-481924243-2636130098-2814363461-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"52bf5c4e3db3c34f21ad9705766a9ade4d20a168","ParentBaseFileName":"cmd.exe","ImageSubsystem":"3","id":"90cc4f4d-0cb2-11ed-bc48-02e78c741df1","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 12094627905582, 12094627906234, 237494511599633","timestamp":"1658819659137","event_simpleName":"ProcessRollup2","RawProcessId":"3956","ConfigStateHash":"476917656","MD5HashData":"f548717b821860c2b2242367732fe105","SHA256HashData":"e1057a20945bce8f00c0be5e3db40c4a98ab33f42f4d2df919aedb0ef6651d6e","ProcessSxsFlags":"64","AuthenticationId":"2106739","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015316.1","CommandLine":"bitsadmin.exe  /setnotifycmdline AtomicBITS C:\\Windows\\system32\\notepad.exe NULL ","ParentAuthenticationId":"2106739","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"4471216442","TreeId":"4297307660","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\bitsadmin.exe","SourceThreadId":"6571504780","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe+0xf1e1:0x59000:0x57899a99|4+0x11a37|4+0xcb0d|4+0xc295|4+0x8564|4+0xc347|4+0xc347|4+0xc347|4+0xf916|4+0x1510d|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658819658.863","CreateProcessType":"3","ProcessParameterFlags":"24577","aid":"e18a0ddec75a45828056bc5358f23e36","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"524288","IntegrityLevel":"12288","ParentProcessId":"4467531420","SourceProcessId":"4467531420","aip":"3.121.25.25","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-481924243-2636130098-2814363461-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"52bf5c4e3db3c34f21ad9705766a9ade4d20a168","ParentBaseFileName":"cmd.exe","ImageSubsystem":"3","id":"90cc4c9d-0cb2-11ed-bc48-02e78c741df1","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 180388736843, 12094627905582, 12094627906234, 237494511599633","timestamp":"1658819659137","event_simpleName":"ProcessRollup2","RawProcessId":"2544","ConfigStateHash":"476917656","MD5HashData":"f548717b821860c2b2242367732fe105","SHA256HashData":"e1057a20945bce8f00c0be5e3db40c4a98ab33f42f4d2df919aedb0ef6651d6e","ProcessSxsFlags":"64","AuthenticationId":"2106739","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015316.1","CommandLine":"bitsadmin.exe  /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\bitsadmin3_flag.ps1 ","ParentAuthenticationId":"2106739","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"4470303270","TreeId":"4297307660","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\bitsadmin.exe","SourceThreadId":"6571504780","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe+0xf1e1:0x59000:0x57899a99|4+0x11a37|4+0xcb0d|4+0xc295|4+0x8564|4+0xc347|4+0xc347|4+0xf916|4+0x1510d|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658819658.807","CreateProcessType":"3","ProcessParameterFlags":"24577","aid":"e18a0ddec75a45828056bc5358f23e36","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"WindowTitle":"C:\\Windows\\SYSTEM32\\cmd.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"4456966028","SourceProcessId":"4456966028","aip":"3.121.25.25","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-481924243-2636130098-2814363461-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"02ed035322124a05caf85b4a98e946b252f15aac","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"90cc4511-0cb2-11ed-bc48-02e78c741df1","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 180388736843, 12094627905582, 12094627906234, 263882790666253","timestamp":"1658819659137","event_simpleName":"ProcessRollup2","RawProcessId":"3440","ConfigStateHash":"476917656","MD5HashData":"f4f684066175b77e0c3a000549d2922c","SHA256HashData":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2","ProcessSxsFlags":"64","AuthenticationId":"2106739","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015316.1","WindowFlags":"256","CommandLine":"\"cmd.exe\" /c \"bitsadmin.exe /create AtomicBITS \u0026 bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %temp%\\bitsadmin3_flag.ps1 \u0026 bitsadmin.exe /setnotifycmdline AtomicBITS C:\\Windows\\system32\\notepad.exe NULL \u0026 bitsadmin.exe /resume AtomicBITS \u0026 ping -n 5 127.0.0.1 \u003enul 2\u003e\u00261 \u0026 bitsadmin.exe /complete AtomicBITS\"","ParentAuthenticationId":"2106739","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"4467531420","TreeId":"4297307660","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe","SourceThreadId":"6482887896","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:9:RWX-:UNKNOWN::0x7fff12365000]+0x7fff12365425","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658819658.671","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"e18a0ddec75a45828056bc5358f23e36","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"524288","IntegrityLevel":"12288","ParentProcessId":"4467531420","SourceProcessId":"4467531420","aip":"3.121.25.25","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-481924243-2636130098-2814363461-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"52bf5c4e3db3c34f21ad9705766a9ade4d20a168","ParentBaseFileName":"cmd.exe","ImageSubsystem":"3","id":"90cc4898-0cb2-11ed-bc48-02e78c741df1","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 12094627905582, 12094627906234, 237494511599633","timestamp":"1658819659137","event_simpleName":"ProcessRollup2","RawProcessId":"196","ConfigStateHash":"476917656","MD5HashData":"f548717b821860c2b2242367732fe105","SHA256HashData":"e1057a20945bce8f00c0be5e3db40c4a98ab33f42f4d2df919aedb0ef6651d6e","ProcessSxsFlags":"64","AuthenticationId":"2106739","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015316.1","CommandLine":"bitsadmin.exe  /create AtomicBITS ","ParentAuthenticationId":"2106739","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"4469786212","TreeId":"4297307660","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\bitsadmin.exe","SourceThreadId":"6571504780","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe+0xf1e1:0x59000:0x57899a99|4+0x11a37|4+0xcb0d|4+0xc295|4+0x8564|4+0xc347|4+0xf916|4+0x1510d|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658819658.754","CreateProcessType":"3","ProcessParameterFlags":"24577","aid":"e18a0ddec75a45828056bc5358f23e36","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"524288","IntegrityLevel":"12288","ParentProcessId":"4462332898","SourceProcessId":"4462332898","aip":"3.121.25.25","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-481924243-2636130098-2814363461-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"52bf5c4e3db3c34f21ad9705766a9ade4d20a168","ParentBaseFileName":"cmd.exe","ImageSubsystem":"3","id":"902e1f54-0cb2-11ed-bc47-02e78c741df1","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 180388736843, 12094627905582, 12094627906234, 237494511599633","timestamp":"1658819658100","event_simpleName":"ProcessRollup2","RawProcessId":"604","ConfigStateHash":"476917656","MD5HashData":"f548717b821860c2b2242367732fe105","SHA256HashData":"e1057a20945bce8f00c0be5e3db40c4a98ab33f42f4d2df919aedb0ef6651d6e","ProcessSxsFlags":"64","AuthenticationId":"2106739","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015316.1","CommandLine":"bitsadmin.exe  /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\bitsadmin1_flag.ps1","ParentAuthenticationId":"2106739","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"4464629778","TreeId":"4295120306","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\bitsadmin.exe","SourceThreadId":"6509454870","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe+0xf1e1:0x59000:0x57899a99|4+0x11a37|4+0xcb0d|4+0xc295|4+0xf916|4+0x1510d|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658819657.565","CreateProcessType":"3","ProcessParameterFlags":"24577","aid":"e18a0ddec75a45828056bc5358f23e36","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"WindowTitle":"C:\\Windows\\SYSTEM32\\cmd.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"4456966028","SourceProcessId":"4456966028","aip":"3.121.25.25","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-481924243-2636130098-2814363461-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"02ed035322124a05caf85b4a98e946b252f15aac","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"902dd7ab-0cb2-11ed-bc47-02e78c741df1","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 180388736843, 12094627905582, 12094627906234, 263882790666253","timestamp":"1658819658098","event_simpleName":"ProcessRollup2","RawProcessId":"3404","ConfigStateHash":"476917656","MD5HashData":"f4f684066175b77e0c3a000549d2922c","SHA256HashData":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2","ProcessSxsFlags":"64","AuthenticationId":"2106739","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015316.1","WindowFlags":"256","CommandLine":"\"cmd.exe\" /c \"bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %temp%\\bitsadmin1_flag.ps1\"","ParentAuthenticationId":"2106739","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"4462332898","TreeId":"4295120306","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe","SourceThreadId":"6482887896","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:1:RWX-:UNKNOWN::0x7fff12365000]+0x7fff12365425","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658819657.357","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"e18a0ddec75a45828056bc5358f23e36","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"524288","IntegrityLevel":"12288","ParentProcessId":"218203514","SourceProcessId":"218203514","aip":"3.121.25.25","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-481924243-2636130098-2814363461-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"52bf5c4e3db3c34f21ad9705766a9ade4d20a168","ParentBaseFileName":"cmd.exe","ImageSubsystem":"3","id":"1657b7dc-0cb1-11ed-b1a5-02edee6e54bf","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 53, 54, 55, 151, 874, 924, 180388736918, 12094627905582, 12094627906234, 237494511599633","timestamp":"1658819024194","event_simpleName":"ProcessRollup2","RawProcessId":"2956","ConfigStateHash":"3445888748","MD5HashData":"f548717b821860c2b2242367732fe105","SHA256HashData":"e1057a20945bce8f00c0be5e3db40c4a98ab33f42f4d2df919aedb0ef6651d6e","ProcessSxsFlags":"64","AuthenticationId":"1324336","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","CommandLine":"bitsadmin  /transfer myDownloadJob /download /priority normal \"https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe\" C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\winrar.exe ","ParentAuthenticationId":"1324336","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"220592626","TreeId":"2158308","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\bitsadmin.exe","SourceThreadId":"2138080888","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe+0xf1e1:0x59000:0x57899a99|4+0x11a37|4+0xcb0d|4+0xc295|4+0x8564|4+0xc347|4+0xc347|4+0xf916|4+0x1510d|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658819021.859","CreateProcessType":"3","ProcessParameterFlags":"24577","aid":"e18a0ddec75a45828056bc5358f23e36","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"WindowTitle":"C:\\Windows\\SYSTEM32\\cmd.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"206355846","SourceProcessId":"206355846","aip":"3.121.25.25","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-481924243-2636130098-2814363461-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"02ed035322124a05caf85b4a98e946b252f15aac","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"1657ae65-0cb1-11ed-b1a5-02edee6e54bf","EffectiveTransmissionClass":"3","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 12094627905582, 12094627906234, 263882790666253","timestamp":"1658819024194","event_simpleName":"ProcessRollup2","RawProcessId":"3044","ConfigStateHash":"3445888748","MD5HashData":"f4f684066175b77e0c3a000549d2922c","SHA256HashData":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2","ProcessSxsFlags":"64","AuthenticationId":"1324336","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"cmd.exe\" /c \"echo Downloading Winrar installer \u0026 bitsadmin /transfer myDownloadJob /download /priority normal \"https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe\" %TEMP%\\winrar.exe \u0026 %TEMP%\\winrar.exe /S\"","ParentAuthenticationId":"1324336","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"218203514","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe","SourceThreadId":"2049159630","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:1:RWX-:UNKNOWN::0x7fff1203f000]+0x7fff1203f6a5","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658819021.808","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"e18a0ddec75a45828056bc5358f23e36","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"ProcessCreateFlags":"524288","IntegrityLevel":"12288","ParentProcessId":"212823738","SourceProcessId":"212823738","aip":"3.121.25.25","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-481924243-2636130098-2814363461-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","ParentBaseFileName":"cmd.exe","ImageSubsystem":"3","id":"1575d08f-0cb1-11ed-b1a5-02edee6e54bf","EffectiveTransmissionClass":"2","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 151, 862, 874, 924, 180388736918, 12094627905582, 12094627906234, 237494511599633","timestamp":"1658819022714","event_simpleName":"ProcessRollup2","RawProcessId":"3988","ConfigStateHash":"3445888748","MD5HashData":"f548717b821860c2b2242367732fe105","SHA256HashData":"e1057a20945bce8f00c0be5e3db40c4a98ab33f42f4d2df919aedb0ef6651d6e","ProcessSxsFlags":"64","AuthenticationId":"1324336","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","CommandLine":"bitsadmin  /transfer myDownloadJob /download /priority normal \"https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe\" C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\winrar.exe ","ParentAuthenticationId":"1324336","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"214259214","TreeId":"1923930","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\bitsadmin.exe","SourceThreadId":"2084671218","CallStackModuleNames":"0\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe+0xf1e1:0x59000:0x57899a99|4+0x11a37|4+0xcb0d|4+0xc295|4+0x8564|4+0xc347|4+0xc347|4+0xf916|4+0x1510d|3+0x84d4|0+0x51791","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658819020.921","CreateProcessType":"3","ProcessParameterFlags":"24577","aid":"e18a0ddec75a45828056bc5358f23e36","cid":"124cb22314bf4f519be84bce582e7a6b"}
{"WindowTitle":"C:\\Windows\\SYSTEM32\\cmd.exe","ProcessCreateFlags":"134217728","IntegrityLevel":"12288","ParentProcessId":"206355846","SourceProcessId":"206355846","aip":"3.121.25.25","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-481924243-2636130098-2814363461-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"02ed035322124a05caf85b4a98e946b252f15aac","ParentBaseFileName":"powershell.exe","ImageSubsystem":"3","id":"1550528e-0cb1-11ed-b1a5-02edee6e54bf","EffectiveTransmissionClass":"3","SessionId":"0","GrandParentBaseFileName":"powershell.exe","Tags":"25, 40, 53, 54, 55, 151, 874, 924, 12094627905582, 12094627906234, 263882790666253","timestamp":"1658819022468","event_simpleName":"ProcessRollup2","RawProcessId":"2256","ConfigStateHash":"3445888748","MD5HashData":"f4f684066175b77e0c3a000549d2922c","SHA256HashData":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2","ProcessSxsFlags":"64","AuthenticationId":"1324336","CallStackModuleNamesVersion":"8","ConfigBuild":"1007.3.0015406.1","WindowFlags":"256","CommandLine":"\"cmd.exe\" /c \"echo Downloading Winrar installer \u0026 bitsadmin /transfer myDownloadJob /download /priority normal \"https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe\" %TEMP%\\winrar.exe \u0026 %TEMP%\\winrar.exe /S\"","ParentAuthenticationId":"1324336","CsaProcessDataCollectionInstanceId":"","TargetProcessId":"212823738","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\cmd.exe","SourceThreadId":"2049159630","CallStackModuleNames":"00000000000000000000010100000000\u003c-1\u003e\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll+0xa7414:0x1cf000:0x621ef21b|\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll+0x2b830:0x21e000:0x62bfb6da|1+0x6b316|\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll+0x1c213:0xad000:0x62807407|\\Device\\HarddiskVolume1\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cffd7931a364802b9133934cad751466\\System.ni.dll+0x383fe6:0xc71000:0x6219dd7a|4+0x2c4809|4+0x2c4179|[HEAP:1:RWX-:UNKNOWN::0x7fff1203f000]+0x7fff1203f6a5","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1658819020.835","CreateProcessType":"1","ProcessParameterFlags":"24577","aid":"e18a0ddec75a45828056bc5358f23e36","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}