I have a guid which Sysinternals tools named Sysmon left. It looks like this.
3/18 C591B94E-4BDD-5AAE-0000-001073B13706
4/4 C591B94E-1BFA-5AC5-0000-0010E76F3903
4/29 C591B94E-A33F-5AE5-0000-001074CA4C26
5/2(different windows account) C591B94E-E23B-5AE9-0000-0010DD40EF32
5/2(on the virtual machine) A15730FB-E3DA-5AE9-0000-0010AB2C0800
It's generated when the process is created(Event id 1) in my computer on different days and different environment. And I Found the uuid format (https://en.wikipedia.org/wiki/Universally_unique_identifier)
xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx(M indicate the UUID version, and the one to three most significant bits of digit N indicate the UUID variant)
According to this, my 3/18 example is C591B94E-4BDD-5AAE-0000-001073B13706. It means M is 5, N is 0, In other words, UUID version is 5, variant is 0. It means It's SHA-1 Hash Value(Version 5) and Variant is 0.
I really wonder what the other number does mean. Because the sysmon's documents says that guid is helpful for correlation BUT they never explain what does this number mean.
I can guess the first group is related to PC information. because only when I chanaged the PC(5/2 on the virtual machine) the first group is changed(C591B94E -> A15730FB). So I thought It's related to Mac or IP address. But even if I changed the MAC and IP address, It stayed A15730FB or C591B94E.
I'm sure the second group is related to time.
But I can't figure out what does this exactly mean.
