13241300x80000000000000008243Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT1060,RunKeySetValue2024-06-17 16:00:11.383{8C7CB5F3-5D8B-6670-F302-000000000B03}364C:\Windows\System32\reg.exeHKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnectionsDWORD (0x00000001)AR-WIN-2\Administrator 13241300x80000000000000002161Microsoft-Windows-Sysmon/OperationalEC2AMAZ-E0MDQHDModifyRemoteDesktopStateSetValue2024-06-17 13:51:37.318{8C7CB5F3-3F62-6670-A900-000000000703}3352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnectionsDWORD (0x00000000)EC2AMAZ-E0MDQHD\Administrator 13241300x80000000000000001580Microsoft-Windows-Sysmon/OperationalEC2AMAZ-AF75R8GModifyRemoteDesktopStateSetValue2024-06-17 13:51:17.857{c363d3a1-3f4f-6670-dc00-000000008902}4692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnectionsDWORD (0x00000000)EC2AMAZ-AF75R8G\Administrator 13241300x8000000000000000974Microsoft-Windows-Sysmon/OperationalEC2AMAZ-VMUFOL1ModifyRemoteDesktopStateSetValue2024-06-17 13:48:12.727{3f437c9e-3e9c-6670-9400-000000008802}2428C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnectionsDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x8000000000000000790Microsoft-Windows-Sysmon/OperationalEC2AMAZ-3C02DE2ModifyRemoteDesktopStateSetValue2024-06-17 13:48:01.370{6CE11793-3E91-6670-7200-000000000603}2640C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnectionsDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x8000000000000000934Microsoft-Windows-Sysmon/OperationalEC2AMAZ-VMUFOL1ModifyRemoteDesktopStateSetValue2024-06-17 13:47:44.102{3f437c9e-3e49-6670-1a00-000000008802}1128C:\Windows\system32\oobe\setup.exeHKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnectionsDWORD (0x00000000)NT AUTHORITY\SYSTEM 13241300x8000000000000000748Microsoft-Windows-Sysmon/OperationalEC2AMAZ-3C02DE2ModifyRemoteDesktopStateSetValue2024-06-17 13:47:30.369{6CE11793-3E4C-6670-1600-000000000603}868C:\Windows\system32\oobe\setup.exeHKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnectionsDWORD (0x00000000)NT AUTHORITY\SYSTEM