12241200x80000000000000003374931Microsoft-Windows-Sysmon/Operationalar-win-dc-DeleteValue2025-11-14 10:09:39.513{CA8A6768-FFA9-6916-9303-000000000304}1436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-1508665847-1927431286-59614149-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\iAR-WIN-DC\Administrator 12241200x80000000000000003374930Microsoft-Windows-Sysmon/Operationalar-win-dc-DeleteValue2025-11-14 10:09:39.513{CA8A6768-FFA9-6916-9303-000000000304}1436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-1508665847-1927431286-59614149-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\hAR-WIN-DC\Administrator 12241200x80000000000000003374928Microsoft-Windows-Sysmon/Operationalar-win-dc-DeleteValue2025-11-14 10:09:39.513{CA8A6768-FFA9-6916-9303-000000000304}1436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-1508665847-1927431286-59614149-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\gAR-WIN-DC\Administrator 12241200x80000000000000003374927Microsoft-Windows-Sysmon/Operationalar-win-dc-DeleteValue2025-11-14 10:09:39.513{CA8A6768-FFA9-6916-9303-000000000304}1436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-1508665847-1927431286-59614149-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\fAR-WIN-DC\Administrator 12241200x80000000000000003374926Microsoft-Windows-Sysmon/Operationalar-win-dc-DeleteValue2025-11-14 10:09:39.513{CA8A6768-FFA9-6916-9303-000000000304}1436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-1508665847-1927431286-59614149-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\eAR-WIN-DC\Administrator 12241200x80000000000000003374925Microsoft-Windows-Sysmon/Operationalar-win-dc-DeleteValue2025-11-14 10:09:39.513{CA8A6768-FFA9-6916-9303-000000000304}1436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-1508665847-1927431286-59614149-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\dAR-WIN-DC\Administrator 12241200x80000000000000003374924Microsoft-Windows-Sysmon/Operationalar-win-dc-DeleteValue2025-11-14 10:09:39.513{CA8A6768-FFA9-6916-9303-000000000304}1436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-1508665847-1927431286-59614149-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\cAR-WIN-DC\Administrator 12241200x80000000000000003374923Microsoft-Windows-Sysmon/Operationalar-win-dc-DeleteValue2025-11-14 10:09:39.513{CA8A6768-FFA9-6916-9303-000000000304}1436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-1508665847-1927431286-59614149-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\bAR-WIN-DC\Administrator 12241200x80000000000000003374922Microsoft-Windows-Sysmon/Operationalar-win-dc-DeleteValue2025-11-14 10:09:39.513{CA8A6768-FFA9-6916-9303-000000000304}1436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-1508665847-1927431286-59614149-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\MRUListAR-WIN-DC\Administrator 12241200x80000000000000003374921Microsoft-Windows-Sysmon/Operationalar-win-dc-DeleteValue2025-11-14 10:09:39.513{CA8A6768-FFA9-6916-9303-000000000304}1436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-1508665847-1927431286-59614149-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\aAR-WIN-DC\Administrator 13241300x80000000000000003365642Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2025-11-14 10:07:30.555{CA8A6768-E973-6916-9700-000000000304}2320C:\Windows\Explorer.EXEHKU\S-1-5-21-1508665847-1927431286-59614149-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\MRUListihbfgedcaAR-WIN-DC\Administrator 13241300x80000000000000003365641Microsoft-Windows-Sysmon/Operationalar-win-dc-SetValue2025-11-14 10:07:30.555{CA8A6768-E973-6916-9700-000000000304}2320C:\Windows\Explorer.EXEHKU\S-1-5-21-1508665847-1927431286-59614149-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\i%%temp%%\1AR-WIN-DC\Administrator