The ProcessGUID field is a unique value for this process across a domain to make event correlation easier. The hash is a full hash of the file with the algorithm in the HashType field. Example of the process creation event: 7/25/2014 6:53 PM {00DC842A-A7C4-53D2-0000-0010BDB80C00} 3956 C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx NT AUTHORITY\SYSTEM0x3e70SystemSHA1 4EEA9BDFE0EB41759D96EC9BD224C4519314A8FA {00DC842A-A73B-53D2-0000-0010A8550000} 592 C:\Windows\system32\services.exe C:\Windows\system32\services.exe Event ID 2: A process changed a file creation time The change file creation time event is registered when a file creation time is explicitly modified by a process. This event helps tracking the real creation time of a file.
