Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.
armstrongjxam

Sysmon

The ProcessGUID field is a unique value for this process across a domain to make event correlation easier. The hash is a full hash of the file with the algorithm in the HashType field. Example of the process creation event: 7/25/2014 6:53 PM {00DC842A-A7C4-53D2-0000-0010BDB80C00} 3956 C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx NT AUTHORITY\SYSTEM0x3e70SystemSHA1 4EEA9BDFE0EB41759D96EC9BD224C4519314A8FA {00DC842A-A73B-53D2-0000-0010A8550000} 592 C:\Windows\system32\services.exe C:\Windows\system32\services.exe Event ID 2: A process changed a file creation time The change file creation time event is registered when a file creation time is explicitly modified by a process. This event helps tracking the real creation time of a file.
For the original version including any supplementary images or video, visit http://technet.microsoft.com/en-us/sysinternals/dn798348.aspx

Don't be the product, buy the product!

Schweinderl