How normal is to have Sysmon detect CreateRemoteThread on a fresh server installation?

Question

As per title. I have installed a fresh Windows Server 20212 R2, applied all updates and then installed Sysmon. Literally nothing else was installed/added. Never started a browser, never opened a web page. Only apps used were standard utilities that come with server, i.e. command prompt, server manager, event viewer, etc.

Is it normal to have Sysmon detect CreateRemoteThread twice and than already days later never again? Is there a scenario or steps in using standard utilities that trigger CreateRemoteThread detection?

Also, notice "SourceImage <unknown process>" in EventData.

Event data 1:

  UtcTime 2024-08-08 18:02:08.756 
  SourceProcessGuid {18B922F1-BBF4-66B4-0500-000000001400} 
  SourceProcessId 392 
  SourceImage <unknown process> 
  TargetProcessGuid {18B922F1-BC01-66B4-1100-000000001400} 
  TargetProcessId 812 
  TargetImage C:\Windows\System32\svchost.exe 
  NewThreadId 1124 
  StartAddress 0x00007FFF88FCBCC0 
  StartModule C:\Windows\system32\KERNELBASE.dll 
  StartFunction CtrlRoutine 
  SourceUser NT AUTHORITY\SYSTEM 
  TargetUser NT AUTHORITY\SYSTEM 

Event data 2:

  UtcTime 2024-08-08 13:32:11.340 
  SourceProcessGuid {18B922F1-BBF5-66B4-0700-000000001400} 
  SourceProcessId 456 
  SourceImage <unknown process> 
  TargetProcessGuid {18B922F1-C62F-66B4-F503-000000001400} 
  TargetProcessId 228 
  TargetImage C:\Windows\system32\cmd.exe 
  NewThreadId 164 
  StartAddress 0x00007FFF88FCBCC0 
  StartModule C:\Windows\system32\KERNELBASE.dll 
  StartFunction CtrlRoutine 
  SourceUser NT AUTHORITY\SYSTEM 
  TargetUser W102\Administrator