Rare Remote Thread Creation By Uncommon Source Image

Action1: actionname = "sa_create_remote_thread" AND (PARENTPROCESSNAME endswith "\bash.exe,\cscript.exe,\cvtres.exe,\defrag.exe,\dialer.exe,\dnx.exe,\esentutl.exe,\excel.exe,\expand.exe,\find.exe,\findstr.exe,\forfiles.exe,\gpupdate.exe,\hh.exe,\installutil.exe,\lync.exe,\makecab.exe,\mDNSResponder.exe,\monitoringhost.exe,\msbuild.exe,\mshta.exe" OR PARENTPROCESSNAME endswith "\mspaint.exe,\outlook.exe,\ping.exe,\provtool.exe,\python.exe,\regsvr32.exe,\robocopy.exe,\runonce.exe,\sapcimc.exe,\smartscreen.exe,\spoolsv.exe,\tstheme.exe,\userinit.exe,\vssadmin.exe,\vssvc.exe,\w3wp.exe,\winscp.exe,\winword.exe,\wmic.exe,\wscript.exe") AND ((PARENTPROCESSNAME != "C:\Windows\System32\Defrag.exe,C:\Windows\System32\makecab.exe" OR PROCESSNAME != "C:\Windows\System32\conhost.exe") AND (PARENTPROCESSNAME != "C:\Windows\System32\provtool.exe" OR PROCESSNAME != "C:\Windows\System32\svchost.exe") AND (PARENTPROCESSNAME != "C:\Windows\System32\userinit.exe" OR PROCESSNAME != "C:\Windows\explorer.exe") AND (PARENTPROCESSNAME notendswith "\WINWORD.EXE" OR PROCESSNAME notstartswith "C:\Program Files (x86)\,C:\Program Files")) AND (PARENTPROCESSNAME notendswith "\SysWOW64\explorer.exe" OR PROCESSNAME != "C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe,C:\Program Files\VMware\VMware Tools\vmtoolsd.exe") select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.PARENTPROCESSNAME