154100x800000000000000052100100Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-2025-01-28 17:32:52.432{38b9f94a-14c4-6799-002f-000000003b03}1228C:\Windows\System32\conhost.exe10.0.17763.4840 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{38b9f94a-595b-6797-e703-000000000000}0x3e70SystemSHA1=C09AA822157967C4A27728F5C33D0226C2889954,MD5=C15E2496B1ECA76F4B09B109DAB10FC3,SHA256=AC68880B09834F3F1B12EEA5966F42AD695711E04C34A577596C1578997F90E8,IMPHASH=2D66D2B5F75799553B4E03ECFED0621C{38b9f94a-14c4-6799-ff2e-000000003b03}1764C:\Windows\System32\auditpol.exeC:\Windows\System32\auditpol.exe /set /category:"Policy Change" /success:disableNT AUTHORITY\SYSTEM 154100x800000000000000052100045Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-2025-01-28 17:32:52.383{38b9f94a-14c4-6799-fe2e-000000003b03}7208C:\Windows\System32\conhost.exe10.0.17763.4840 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{38b9f94a-595b-6797-e703-000000000000}0x3e70SystemSHA1=C09AA822157967C4A27728F5C33D0226C2889954,MD5=C15E2496B1ECA76F4B09B109DAB10FC3,SHA256=AC68880B09834F3F1B12EEA5966F42AD695711E04C34A577596C1578997F90E8,IMPHASH=2D66D2B5F75799553B4E03ECFED0621C{38b9f94a-14c4-6799-fd2e-000000003b03}1612C:\Windows\System32\auditpol.exeC:\Windows\System32\auditpol.exe /set /subcategory:"Other Object Access Events" /success:enableNT AUTHORITY\SYSTEM 154100x800000000000000052099991Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-2025-01-28 17:32:52.336{38b9f94a-14c4-6799-fc2e-000000003b03}7468C:\Windows\System32\conhost.exe10.0.17763.4840 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{38b9f94a-595b-6797-e703-000000000000}0x3e70SystemSHA1=C09AA822157967C4A27728F5C33D0226C2889954,MD5=C15E2496B1ECA76F4B09B109DAB10FC3,SHA256=AC68880B09834F3F1B12EEA5966F42AD695711E04C34A577596C1578997F90E8,IMPHASH=2D66D2B5F75799553B4E03ECFED0621C{38b9f94a-14c4-6799-fb2e-000000003b03}2116C:\Windows\System32\auditpol.exeC:\Windows\System32\auditpol.exe /set /subcategory:"Security System Extension" /success:enableNT AUTHORITY\SYSTEM 154100x800000000000000052099938Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-2025-01-28 17:32:52.290{38b9f94a-14c4-6799-fa2e-000000003b03}1628C:\Windows\System32\conhost.exe10.0.17763.4840 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{38b9f94a-595b-6797-e703-000000000000}0x3e70SystemSHA1=C09AA822157967C4A27728F5C33D0226C2889954,MD5=C15E2496B1ECA76F4B09B109DAB10FC3,SHA256=AC68880B09834F3F1B12EEA5966F42AD695711E04C34A577596C1578997F90E8,IMPHASH=2D66D2B5F75799553B4E03ECFED0621C{38b9f94a-14c4-6799-f92e-000000003b03}6396C:\Windows\System32\auditpol.exeC:\Windows\System32\auditpol.exe /set /subcategory:"Logoff" /success:enable /failure:enableNT AUTHORITY\SYSTEM 154100x800000000000000052099883Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-2025-01-28 17:32:52.242{38b9f94a-14c4-6799-f82e-000000003b03}4452C:\Windows\System32\conhost.exe10.0.17763.4840 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{38b9f94a-595b-6797-e703-000000000000}0x3e70SystemSHA1=C09AA822157967C4A27728F5C33D0226C2889954,MD5=C15E2496B1ECA76F4B09B109DAB10FC3,SHA256=AC68880B09834F3F1B12EEA5966F42AD695711E04C34A577596C1578997F90E8,IMPHASH=2D66D2B5F75799553B4E03ECFED0621C{38b9f94a-14c4-6799-f72e-000000003b03}7148C:\Windows\System32\auditpol.exeC:\Windows\System32\auditpol.exe /set /subcategory:"Logon" /success:enable /failure:enableNT AUTHORITY\SYSTEM 154100x800000000000000052099827Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-2025-01-28 17:32:52.186{38b9f94a-14c4-6799-f62e-000000003b03}4012C:\Windows\System32\conhost.exe10.0.17763.4840 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{38b9f94a-595b-6797-e703-000000000000}0x3e70SystemSHA1=C09AA822157967C4A27728F5C33D0226C2889954,MD5=C15E2496B1ECA76F4B09B109DAB10FC3,SHA256=AC68880B09834F3F1B12EEA5966F42AD695711E04C34A577596C1578997F90E8,IMPHASH=2D66D2B5F75799553B4E03ECFED0621C{38b9f94a-14c4-6799-f52e-000000003b03}7104C:\Windows\System32\auditpol.exeC:\Windows\System32\auditpol.exe /set /subcategory:"User Account Management" /success:enableNT AUTHORITY\SYSTEM 154100x800000000000000052099640Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-2025-01-28 17:32:42.045{38b9f94a-14ba-6799-f42e-000000003b03}3456C:\Windows\System32\auditpol.exe10.0.17763.1 (WinBuild.160101.0800)Audit Policy ProgramMicrosoft® Windows® Operating SystemMicrosoft CorporationAUDITPOL.EXEauditpol /resourceSACL /type:File /clearC:\Users\Administrator\Downloads\PSTools\NAS\Administrator{38b9f94a-5a42-6797-8692-110000000000}0x1192862HighSHA1=0A81854C79D49EF3241A962EBFBAEE438CEF1160,MD5=F97C0041886519CEAE336B06AEBFC9E1,SHA256=969306E33A469096EFA20BEE264FB37AC4DA86899F2659007D6BE0D1EB666B1C,IMPHASH=D401223A63DBFDCD11C945B9EEE0BD7E{38b9f94a-c365-6798-7a26-000000003b03}4408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" NAS\Administrator 154100x800000000000000052099494Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-2025-01-28 17:32:37.973{38b9f94a-14b5-6799-f22e-000000003b03}1112C:\Windows\System32\auditpol.exe10.0.17763.1 (WinBuild.160101.0800)Audit Policy ProgramMicrosoft® Windows® Operating SystemMicrosoft CorporationAUDITPOL.EXEauditpol /set /user:testaudit /exclude /category:* /success:enableC:\Users\Administrator\Downloads\PSTools\NAS\Administrator{38b9f94a-5a42-6797-8692-110000000000}0x1192862HighSHA1=0A81854C79D49EF3241A962EBFBAEE438CEF1160,MD5=F97C0041886519CEAE336B06AEBFC9E1,SHA256=969306E33A469096EFA20BEE264FB37AC4DA86899F2659007D6BE0D1EB666B1C,IMPHASH=D401223A63DBFDCD11C945B9EEE0BD7E{38b9f94a-c365-6798-7a26-000000003b03}4408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" NAS\Administrator 154100x800000000000000052099458Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-2025-01-28 17:32:37.919{38b9f94a-14b5-6799-f12e-000000003b03}3524C:\Windows\System32\auditpol.exe10.0.17763.1 (WinBuild.160101.0800)Audit Policy ProgramMicrosoft® Windows® Operating SystemMicrosoft CorporationAUDITPOL.EXEauditpol /restore /file:c:\auditpolicy.csvC:\Users\Administrator\Downloads\PSTools\NAS\Administrator{38b9f94a-5a42-6797-8692-110000000000}0x1192862HighSHA1=0A81854C79D49EF3241A962EBFBAEE438CEF1160,MD5=F97C0041886519CEAE336B06AEBFC9E1,SHA256=969306E33A469096EFA20BEE264FB37AC4DA86899F2659007D6BE0D1EB666B1C,IMPHASH=D401223A63DBFDCD11C945B9EEE0BD7E{38b9f94a-c365-6798-7a26-000000003b03}4408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" NAS\Administrator 154100x800000000000000052099435Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-2025-01-28 17:32:37.884{38b9f94a-14b5-6799-f02e-000000003b03}6868C:\Windows\System32\auditpol.exe10.0.17763.1 (WinBuild.160101.0800)Audit Policy ProgramMicrosoft® Windows® Operating SystemMicrosoft CorporationAUDITPOL.EXEauditpol /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030} /success:disableC:\Users\Administrator\Downloads\PSTools\NAS\Administrator{38b9f94a-5a42-6797-8692-110000000000}0x1192862HighSHA1=0A81854C79D49EF3241A962EBFBAEE438CEF1160,MD5=F97C0041886519CEAE336B06AEBFC9E1,SHA256=969306E33A469096EFA20BEE264FB37AC4DA86899F2659007D6BE0D1EB666B1C,IMPHASH=D401223A63DBFDCD11C945B9EEE0BD7E{38b9f94a-c365-6798-7a26-000000003b03}4408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" NAS\Administrator 154100x800000000000000052099408Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-2025-01-28 17:32:37.847{38b9f94a-14b5-6799-ef2e-000000003b03}8104C:\Windows\System32\auditpol.exe10.0.17763.1 (WinBuild.160101.0800)Audit Policy ProgramMicrosoft® Windows® Operating SystemMicrosoft CorporationAUDITPOL.EXEauditpol /set /category:"Detailed Tracking" /failure:disableC:\Users\Administrator\Downloads\PSTools\NAS\Administrator{38b9f94a-5a42-6797-8692-110000000000}0x1192862HighSHA1=0A81854C79D49EF3241A962EBFBAEE438CEF1160,MD5=F97C0041886519CEAE336B06AEBFC9E1,SHA256=969306E33A469096EFA20BEE264FB37AC4DA86899F2659007D6BE0D1EB666B1C,IMPHASH=D401223A63DBFDCD11C945B9EEE0BD7E{38b9f94a-c365-6798-7a26-000000003b03}4408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" NAS\Administrator 154100x800000000000000052099390Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-2025-01-28 17:32:37.816{38b9f94a-14b5-6799-ee2e-000000003b03}1612C:\Windows\System32\auditpol.exe10.0.17763.1 (WinBuild.160101.0800)Audit Policy ProgramMicrosoft® Windows® Operating SystemMicrosoft CorporationAUDITPOL.EXEauditpol /remove /allusersC:\Users\Administrator\Downloads\PSTools\NAS\Administrator{38b9f94a-5a42-6797-8692-110000000000}0x1192862HighSHA1=0A81854C79D49EF3241A962EBFBAEE438CEF1160,MD5=F97C0041886519CEAE336B06AEBFC9E1,SHA256=969306E33A469096EFA20BEE264FB37AC4DA86899F2659007D6BE0D1EB666B1C,IMPHASH=D401223A63DBFDCD11C945B9EEE0BD7E{38b9f94a-c365-6798-7a26-000000003b03}4408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" NAS\Administrator 154100x800000000000000052099357Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-2025-01-28 17:32:37.780{38b9f94a-14b5-6799-ed2e-000000003b03}4628C:\Windows\System32\auditpol.exe10.0.17763.1 (WinBuild.160101.0800)Audit Policy ProgramMicrosoft® Windows® Operating SystemMicrosoft CorporationAUDITPOL.EXEauditpol /clear /yC:\Users\Administrator\Downloads\PSTools\NAS\Administrator{38b9f94a-5a42-6797-8692-110000000000}0x1192862HighSHA1=0A81854C79D49EF3241A962EBFBAEE438CEF1160,MD5=F97C0041886519CEAE336B06AEBFC9E1,SHA256=969306E33A469096EFA20BEE264FB37AC4DA86899F2659007D6BE0D1EB666B1C,IMPHASH=D401223A63DBFDCD11C945B9EEE0BD7E{38b9f94a-c365-6798-7a26-000000003b03}4408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" NAS\Administrator 154100x800000000000000053346221Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-2025-01-29 10:36:36.052{38b9f94a-04b4-679a-e446-000000003b03}6800C:\Windows\System32\auditpol.exe10.0.17763.1 (WinBuild.160101.0800)Audit Policy ProgramMicrosoft® Windows® Operating SystemMicrosoft CorporationAUDITPOL.EXEauditpol /set /sd:D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY)C:\Users\Administrator\Downloads\PSTools\NAS\Administrator{38b9f94a-5a42-6797-8692-110000000000}0x1192862HighSHA1=0A81854C79D49EF3241A962EBFBAEE438CEF1160,MD5=F97C0041886519CEAE336B06AEBFC9E1,SHA256=969306E33A469096EFA20BEE264FB37AC4DA86899F2659007D6BE0D1EB666B1C,IMPHASH=D401223A63DBFDCD11C945B9EEE0BD7E{38b9f94a-c365-6798-7a26-000000003b03}4408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" NAS\Administrator 13241300x800000000000000053591931Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-SetValue2025-01-29 14:00:29.310{38b9f94a-347d-679a-ac4b-000000003b03}7792C:\Windows\system32\auditpol.exeHKLM\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditingBinary DataNAS\Administrator 154100x800000000000000053591913Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-2025-01-29 14:00:29.297{38b9f94a-347d-679a-ac4b-000000003b03}7792C:\Windows\System32\auditpol.exe10.0.17763.1 (WinBuild.160101.0800)Audit Policy ProgramMicrosoft® Windows® Operating SystemMicrosoft CorporationAUDITPOL.EXEauditpol /set /option:FullPrivilegeAuditing /value:disableC:\Users\Administrator\NAS\Administrator{38b9f94a-5a42-6797-8692-110000000000}0x1192862HighSHA1=0A81854C79D49EF3241A962EBFBAEE438CEF1160,MD5=F97C0041886519CEAE336B06AEBFC9E1,SHA256=969306E33A469096EFA20BEE264FB37AC4DA86899F2659007D6BE0D1EB666B1C,IMPHASH=D401223A63DBFDCD11C945B9EEE0BD7E{38b9f94a-c365-6798-7a26-000000003b03}4408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" NAS\Administrator 154100x800000000000000053717961Microsoft-Windows-Sysmon/Operationalar-win.nas.domain-2025-01-29 14:52:59.799{38b9f94a-40cb-679a-654d-000000003b03}8228C:\Users\Administrator\Pictures\21026191555\auditpol.exe-----AUDITPOL /logon:noneC:\Users\Administrator\Pictures\21026191555\NAS\Administrator{38b9f94a-5a42-6797-8692-110000000000}0x1192862HighSHA1=095915E8067493DABE5031331E78B56374024229,MD5=2F0050F870B2D49E0880334E4938D528,SHA256=FA575BD24B9A174315BB283C6B47A6C1289B7283B16E699B75E414FB43E8FBDD,IMPHASH=04BC1BB44B63E33C9E720495E0ADBCC7{38b9f94a-c365-6798-7a26-000000003b03}4408C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" NAS\Administrator