diff --git a/tests/testcases/hayabusa_windows.out.yaml b/tests/testcases/hayabusa_windows.out.yaml
index 5e535d1..43d1994 100644
--- a/tests/testcases/hayabusa_windows.out.yaml
+++ b/tests/testcases/hayabusa_windows.out.yaml
@@ -7,7 +7,7 @@ LET temp <= tempdir()[]LET _ <= copy(filename=testDir + "/test_files/EVTX-ATTACK
   "Level": "low",
   "Title": "Possible Timestomping",
   "RecordID": 10147,
-  "Details": "Path: C:\\Users\\IEUser\\AppData\\Local\\Temp\\302a23.msi ¦ Proc: C:\\Windows\\System32\\msiexec.exe ¦ User: null ¦ CreateTime: CreationUtcTime ¦ PrevTime: PreviousCreationUtcTime ¦ PID: PID ¦ PGUID: 365ABB72-D0DA-5CC8-0000-00109B5A3C00",
+  "Details": "Path: C:\\Users\\IEUser\\AppData\\Local\\Temp\\302a23.msi ¦ Proc: C:\\Windows\\System32\\msiexec.exe ¦ User: User ¦ CreateTime: CreationUtcTime ¦ PrevTime: PreviousCreationUtcTime ¦ PID: PID ¦ PGUID: 365ABB72-D0DA-5CC8-0000-00109B5A3C00",
   "_Event": {
    "System": {
     "Provider": {
@@ -59,7 +59,7 @@ LET temp <= tempdir()[]LET _ <= copy(filename=testDir + "/test_files/EVTX-ATTACK
   "Level": "low",
   "Title": "Possible Timestomping",
   "RecordID": 10149,
-  "Details": "Path: C:\\Windows\\Installer\\304d1c.msi ¦ Proc: C:\\Windows\\system32\\msiexec.exe ¦ User: null ¦ CreateTime: CreationUtcTime ¦ PrevTime: PreviousCreationUtcTime ¦ PID: PID ¦ PGUID: 365ABB72-D0DA-5CC8-0000-0010216F3C00",
+  "Details": "Path: C:\\Windows\\Installer\\304d1c.msi ¦ Proc: C:\\Windows\\system32\\msiexec.exe ¦ User: User ¦ CreateTime: CreationUtcTime ¦ PrevTime: PreviousCreationUtcTime ¦ PID: PID ¦ PGUID: 365ABB72-D0DA-5CC8-0000-0010216F3C00",
   "_Event": {
    "System": {
     "Provider": {
@@ -111,7 +111,7 @@ LET temp <= tempdir()[]LET _ <= copy(filename=testDir + "/test_files/EVTX-ATTACK
   "Level": "informational",
   "Title": "Reg Key Value Set (Noisy)",
   "RecordID": 10150,
-  "Details": "EventType: SetValue ¦ TgtObj: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\InProgress\\(Default): C:\\Windows\\Installer\\304d1d.ipi ¦ Proc: C:\\Windows\\system32\\msiexec.exe ¦ PID: 2080 ¦ PGUID: 365ABB72-D0DA-5CC8-0000-0010216F3C00",
+  "Details": "EventType: SetValue ¦ TgtObj: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\InProgress\\(Default): C:\\Windows\\Installer\\304d1d.ipi ¦ Proc: C:\\Windows\\system32\\msiexec.exe ¦ PID: ProcessId ¦ PGUID: 365ABB72-D0DA-5CC8-0000-0010216F3C00",
   "_Event": {
    "System": {
     "Provider": {
@@ -163,7 +163,7 @@ LET temp <= tempdir()[]LET _ <= copy(filename=testDir + "/test_files/EVTX-ATTACK
   "Level": "high",
   "Title": "Proc Exec (Non-Exe Filetype)",
   "RecordID": 10151,
-  "Details": "Cmdline: \"C:\\Windows\\Installer\\MSI4FFD.tmp\" ¦ Proc: C:\\Windows\\Installer\\MSI4FFD.tmp ¦ User: IEWIN7\\IEUser ¦ ParentCmdline: C:\\Windows\\system32\\msiexec.exe /V ¦ LID: 65508 ¦ LGUID: LogonGuid ¦ PID: 3680 ¦ PGUID: 365ABB72-D0E4-5CC8-0000-00103CB73E00 ¦ ParentPID: ParentProcessId ¦ ParentPGUID: ParentProcessGuid ¦ Description: ApacheBench command line utility ¦ Product: Apache HTTP Server ¦ Company: Apache Software Foundation ¦ Hashes: SHA1=06B1640F88EDC6A7CE3303CB14A505A86B061616,MD5=E40CF1CC132F25719F86F0FC5870910D,SHA256=A89385CCD4BE489CD069C65DA10A0B952CB3DE9090EF4C9F02E1368392CD66C5,IMPHASH=481F47BBB2C9C21E108D65F52B04C448",
+  "Details": "Cmdline: \"C:\\Windows\\Installer\\MSI4FFD.tmp\" ¦ Proc: C:\\Windows\\Installer\\MSI4FFD.tmp ¦ User: IEWIN7\\IEUser ¦ ParentCmdline: C:\\Windows\\system32\\msiexec.exe /V ¦ LID: LogonId ¦ LGUID: LogonGuid ¦ PID: ProcessId ¦ PGUID: 365ABB72-D0E4-5CC8-0000-00103CB73E00 ¦ ParentPID: ParentProcessId ¦ ParentPGUID: ParentProcessGuid ¦ Description: ApacheBench command line utility ¦ Product: Apache HTTP Server ¦ Company: Apache Software Foundation ¦ Hashes: SHA1=06B1640F88EDC6A7CE3303CB14A505A86B061616,MD5=E40CF1CC132F25719F86F0FC5870910D,SHA256=A89385CCD4BE489CD069C65DA10A0B952CB3DE9090EF4C9F02E1368392CD66C5,IMPHASH=481F47BBB2C9C21E108D65F52B04C448",
   "_Event": {
    "System": {
     "Provider": {
@@ -228,7 +228,7 @@ LET temp <= tempdir()[]LET _ <= copy(filename=testDir + "/test_files/EVTX-ATTACK
   "Level": "informational",
   "Title": "DLL Loaded (Noisy)",
   "RecordID": 10152,
-  "Details": "Image: C:\\Windows\\System32\\vbscript.dll ¦ Proc: C:\\Windows\\System32\\msiexec.exe ¦ Description: Microsoft ® VBScript ¦ Product: Microsoft ® VBScript ¦ Company: Microsoft Corporation ¦ Signed: true ¦ Sig: Valid ¦ PID: 2168 ¦ PGUID: 365ABB72-D0E4-5CC8-0000-001022B53E00 ¦ Hash: SHA1=BCF66BE6C4D4FB0775E199C32EE2154AAC97F901,MD5=D4C89F6BCCC04D43BAC82F795A552DA5,SHA256=F7F7BF8C86CD2C6A27D20076B5713FBD60647CE0716DFEC0BB65895E92AE0830,IMPHASH=9F8EEA636265FC0065E869A2EAEFE7AF ¦ OrigFilename: null",
+  "Details": "Image: C:\\Windows\\System32\\vbscript.dll ¦ Proc: C:\\Windows\\System32\\msiexec.exe ¦ Description: Microsoft ® VBScript ¦ Product: Microsoft ® VBScript ¦ Company: Microsoft Corporation ¦ Signed: true ¦ Sig: Valid ¦ PID: ProcessId ¦ PGUID: 365ABB72-D0E4-5CC8-0000-001022B53E00 ¦ Hash: SHA1=BCF66BE6C4D4FB0775E199C32EE2154AAC97F901,MD5=D4C89F6BCCC04D43BAC82F795A552DA5,SHA256=F7F7BF8C86CD2C6A27D20076B5713FBD60647CE0716DFEC0BB65895E92AE0830,IMPHASH=9F8EEA636265FC0065E869A2EAEFE7AF ¦ OrigFilename: OriginalFilename",
   "_Event": {
    "System": {
     "Provider": {